Geoff Chappell - Software Analyst
The OBJECT_DIRECTORY_INFORMATION structure (formally _OBJECT_DIRECTORY_INFORMATION) is a repeating element in what a successful call to ZwQueryDirectoryObject or NtQueryDirectoryObject produces in its output buffer. Each element gives the name and type of an object in the queried directory.
The OBJECT_DIRECTORY_INFORMATION structure is not documented. Neither is Microsoft known to have published any C-language declaration in any header from any development kit for either kernel-mode or user-mode programming.
Microsoft does publish the practical equivalent of a C-language definition as type information in a handful of private symbol files that Microsoft has included in packages of public symbol files, starting with Windows 8, and continues to make available through Microsoft’s public symbol server. These private symbol files are not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure. They are instead for various higher-level user-mode DLLs such as URLMON.DLL. The latter is here singled out because of its origins in Internet Explorer and thence for the strong suggestion that Microsoft’s programmers of Internet Explorer had access to more details of low-level Windows programming than Microsoft publishes for wider use.
Type information for the structure has also seeped out at the other end of the Windows timeline, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.
The OBJECT_DIRECTORY_INFORMATION is 0x10 or 0x20 bytes in 32-bit and 64-bit Windows, respectively. These sizes, and the offsets, names and types in the table that follows, are from type information in symbol files:
|Offset (x86)||Offset (x64)||Definition||Versions|
|3.10 and higher|
|3.10 and higher|