Sometimes I need to peer into undocumented kernel structures like TEB or DEVICE_NODE for different Windows versions. But I struggled to find a good reference for that so I with my friend created our own one. We took PDB files for kernels from Windows XP till Windows 10 and converted them to C/C++ code. You can check the results at https://www.vergiliusproject.com. I hope it will save the day for somebody.
Awesome. Then what looks like heaven for you - Mac OS? Linux? 
– pa
Good work, but I would not not be too sure about our host’s reaction to posting it here, taking into consideration that someone got on moderation simply for asking a “non-supported” question on NTDEV the other day …
Anton Bassov
Assuming this was generated from public PDBs I think it’s great. Very nicely done.
We did something similar years back, but generated graphical representations of the structures instead of the C Language typedefs. Very useful in terms of visualizing the structures, their interrelationships, and understanding Windows internals.
ETA: The only thing sadly missing from the structures is the names of the embedded structs/unions. Lacking these makes it harder to accurately interpret the collection of fields in the structure. A small criticism, for sure.
Peter
@“Peter_Viscarola_(OSR)” said:
ETA: The only thing sadly missing from the structures is the names of the embedded structs/unions. Lacking these makes it harder to accurately interpret the collection of fields in the structure. A small criticism, for sure.
Those are unnamed structs/unions. We compared our reconstructed code with available public headers and they match very close. Our code:
//0x48 bytes (sizeof)
struct _WMI_BUFFER_HEADER
{
union
{
struct _WNODE_HEADER Wnode; //0x0
struct
{
ULONGLONG Reserved1; //0x0
ULONGLONG Reserved2; //0x8
union _LARGE_INTEGER Reserved3; //0x10
union
{
struct
{
VOID* Alignment; //0x18
struct _SINGLE_LIST_ENTRY SlistEntry; //0x20
};
struct _LIST_ENTRY Entry; //0x18
};
};
struct
{
LONG ReferenceCount; //0x0
ULONG SavedOffset; //0x4
ULONG CurrentOffset; //0x8
ULONG UsePerfClock; //0xc
union _LARGE_INTEGER TimeStamp; //0x10
struct _GUID Guid; //0x18
struct _WMI_CLIENT_CONTEXT ClientContext; //0x28
union
{
struct _WMI_BUFFER_STATE State; //0x2c
ULONG Flags; //0x2c
};
};
};
ULONG Offset; //0x30
USHORT BufferFlag; //0x34
USHORT BufferType; //0x36
union
{
struct _GUID InstanceGuid; //0x38
struct
{
VOID* LoggerContext; //0x38
struct _SINGLE_LIST_ENTRY GlobalEntry; //0x40
};
};
};
and original one from ntwmi.h:
typedef struct _WMI_BUFFER_HEADER {
union {
WNODE_HEADER Wnode;
struct {
ULONG64 Reserved1;
ULONG64 Reserved2;
LARGE_INTEGER Reserved3;
union{
struct {
PVOID Alignment;
//
// Note: SlistEntry is actually used as SLIST_ENTRY, however
// because of its alignment characteristics, using that type would
// unnecessarily add padding to this structure.
//
SINGLE_LIST_ENTRY SlistEntry;
};
LIST_ENTRY Entry;
};
};
struct {
LONG ReferenceCount; // Buffer reference count
ULONG SavedOffset; // Temp saved offset
ULONG CurrentOffset; // Current offset
ULONG UsePerfClock; // UsePerfClock flag
LARGE_INTEGER TimeStamp;
GUID Guid;
WMI_CLIENT_CONTEXT ClientContext;
union {
WMI_BUFFER_STATE State;
ULONG Flags;
};
};
};
ULONG Offset;
USHORT BufferFlag;
USHORT BufferType;
union {
GUID InstanceGuid;
struct {
PVOID LoggerContext;
//
// Note: GlobalEntry is actually used as SLIST_ENTRY, however
// because of its alignment characteristics, using that type would
// unnecessarily add padding to this structure.
//
// We need to Make sure that this field is not modified through
// the life time of the buffer, during logging.
//
SINGLE_LIST_ENTRY GlobalEntry;
};
};
} WMI_BUFFER_HEADER, *PWMI_BUFFER_HEADER;
great stuff. please keep it up2date, mp.
Am Do., 3. Jan. 2019 um 18:50 Uhr schrieb Sergey_Podobry
: