Process Hacker Discussion Forum

 
440bx
Member
Posts: 63
Joined: 02 Jul 2021 23:33

_LDR_ENUM_RESOURCE_ENTRY definition

25 Aug 2021 06:08

The definition of _LDR_ENUM_RESOURCE_ENTRY in ntldr.h seems to be missing the first field which is the resource Type (a ULONG_PTR that identifies an RT_ICON, RT_MENU, etc). The resource Type is then followed by the union which does appear in the definition.
 
User avatar
dmex
Admin
Posts: 1693
Joined: 17 Jan 2011 05:43

Re: _LDR_ENUM_RESOURCE_ENTRY definition

25 Aug 2021 10:24

The symbols don't have any type field?
 
440bx
Member
Posts: 63
Joined: 02 Jul 2021 23:33

Re: _LDR_ENUM_RESOURCE_ENTRY definition

25 Aug 2021 19:14

dmex wrote: 25 Aug 2021 10:24
The symbols don't have any type field?
This is how it's defined in ntldr.h
// private
typedef struct _LDR_ENUM_RESOURCE_ENTRY
{
    union
    {
        ULONG_PTR NameOrId;
        PIMAGE_RESOURCE_DIRECTORY_STRING Name;
        struct
        {
            USHORT Id;
            USHORT NameIsPresent;
        };
    } Path[3];
    PVOID Data;
    ULONG Size;
    ULONG Reserved;
} LDR_ENUM_RESOURCE_ENTRY, *PLDR_ENUM_RESOURCE_ENTRY;


In that structure, the first field should be a "ULONG_PTR Type" which indicates the resource type (RT_ICON, RT_MENU, etc) followed by a union that is the NameOrId/Name and that union should be followed by "ULONG_PTR Language". The rest of the structure (Data, Size, etc) is as expected.


Another disconcerting thing about that definition is that there isn't an array of that union. There are 3 ULONG_PTR but only the second one is defined by the union shown in that definition. The first and third field aren't.
 
User avatar
dmex
Admin
Posts: 1693
Joined: 17 Jan 2011 05:43

Re: _LDR_ENUM_RESOURCE_ENTRY definition

26 Aug 2021 06:39

440bx wrote: 25 Aug 2021 19:14
In that structure, the first field should be a "ULONG_PTR Type" which indicates the resource type (RT_ICON, RT_MENU, etc) followed by a union that is the NameOrId/Name and that union should be followed by "ULONG_PTR Language". The rest of the structure (Data, Size, etc) is as expected.
LDR_ENUM_RESOURCE_ENTRY can be found in Windows symbols and there isn't any type field?

This is what windbg shows on Windows 10:

Image
440bx wrote: 25 Aug 2021 19:14
Another disconcerting thing about that definition is that there isn't an array of that union. There are 3 ULONG_PTR but only the second one is defined by the union shown in that definition. The first and third field aren't.
Image

Path[0] is the resource type.
Path[1] is the resource name.
Path[2] is the resource language.

This resembles the PE format where any of these 3 can be a directory or a resource.
 
440bx
Member
Posts: 63
Joined: 02 Jul 2021 23:33

Re: _LDR_ENUM_RESOURCE_ENTRY definition

26 Aug 2021 09:12

dmex wrote: 26 Aug 2021 06:39
Path[0] is the resource type.
Path[1] is the resource name.
Path[2] is the resource language.

This resembles the PE format where any of these 3 can be a directory or a resource.
That makes sense. I got my definition of that structure from the ReactOS source where Type, Name and Language are not in a union. I find that definition to be clearer than melting them together in a 3 element union array. Matter of taste, I guess.

Thank you for the clarification.