KSE_COLLECTION

An array of KSE_COLLECTION structures provides the second level in the description of a driver shim. The top level of the description is a KSE_SHIM structure.

Microsoft’s name for this structure is known from symbol files for a driver (NDIS.SYS) that registers a shim and uses C++ for instantiating its KSE_COLLECTION array as statically allocated data: the C++ decoration names the type. Microsoft’s names and types are not known for members, there being no type information in the symbol file.

The KSE_COLLECTION is 0x0C and 0x18 bytes in 32-bit and 64-bit Windows 10, respectively.

Offset (x86) Offset (x64) Size Description
0x00 0x00 dword type of collection:
0 to hook imports from kernel;
1 to hook imports from HAL;
2 to hook imports from named module;
3 to hook I/O requests and other driver functions;
4 for last collection in array
0x04 0x08 pointer for type 2 only: address of name of importing module, as null-terminated Unicode string
0x08 0x10 pointer address of KSE_HOOK array

For the last collection in the array, i.e., for type 4, all other members are ignored.

Each collection that has any other valid type must have a KSE_HOOK array. If instead the pointer is NULL, the shim that contains this collection cannot be registered.