SHROBJHEAD

The SHROBJHEAD structure is a common header for user objects that can be in shared memory. It is not known before version 4.0. It appears to have been superseded by a rearrangement for version 5.0.

Documentation Status

The SHROBJHEAD is not documented. Microsoft’s name for it is known only because tables for the !dso command as implemented by the USEREXTS debugger extension from the Device Driver Kit (DDK) for Windows NT 4.0 show that the PROCOBJHEAD and THROBJHEAD each have an unnamed SHROBJHEAD as their first member.

Layout

The SHROBJHEAD is 0x10 bytes.

Offset Definition Versions
0x00 (4.0) 
HEAD;
 4.0 only
0x08 (4.0) 
DESKTOP *rpdesk;
 4.0 only
0x0C (4.0) 
BYTE *pSelf;
 4.0 only

See also that rpdesk and pSelf are kernel-mode addresses. The DESKTOP that is pointed to from the object’s rpdesk is not visible in user mode, but the object itself is visible in user mode in all processes that share the desktop. Of course, the object may—indeed, typically will—have a different user-mode address in each such process. So too may structures that are pointed to from the object. All such pointers hold kernel-mode addresses too. By themselves they are equally meaningless to user-mode code in all processes. The key to interpreting them is that pSelf is a kernel-mode address of the object itself. Each process has its user-mode address for the object. Their difference can then be applied to other kernel-mode addresses (of anything in the same view) to convert them to user-mode addresses for that process.

This page was created on 10th September 2017 and was last modified on 17th September 2017.

Copyright © 2017. Geoff Chappell. All rights reserved. Conditions apply.