Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the FSRTL.H header at
d:\th\minkernel\ntos\inc
and draws from it the following type definitions:
| Line Number | Type |
|---|---|
| 353 | struct _ECP_LIST |
| 700 | struct _NONOPAQUE_OPLOCK |
| 844 | struct _WAITING_IRP |
| 909 | struct _RH_OP_CONTEXT |
| 969 | struct _DELAY_ACK_FO |
The header FSRTL.H is not known in any Device Driver Kit (DDK) or Windows Driver Kit (WDK).
For one of the types that the kernel’s public symbols show as defined in FSRTL.H, a C-language definition has slipped out in a header named NTOSIFS.H which Microsoft published with the WDK for Windows 10 in its original and Version 1511 editions. Perusal of this otherwise unpublished header suggests that some of the surrounding content—roughly a hundred lines before and hundreds after—may also come from the unseen FSRTL.H or have a common source.
Whether content is extracted from FSRTL.H to NTOSIFS.H or both are extracted from yet some other input, the effect looks to be that successive lines of FSRTL.H are either duplicated or not in NTOSIFS.H, such that the latter has a contiguous region of lines that are each in FSRTL.H. Matching the line numbers for type definitions as seen in NTOSIFS.H with FSRTL.H line numbers deduced from public symbols would then support a reasonable attempt at reconstructing much of what the unseen FSRTL.H must have between its type definitions.
The bad news for this is that in the whole of the downloadable package of public symbols for the original Windows 10, only the PDB file for the kernel has type information that’s cited as having come from FSRTL.H and, as seen above, this tells of only one type. The good news is that more type information turns up in a statically linked library that Microsoft supplies with the Software Development Kit (SDK). The library is named CLFSMGMT.LIB. Some of the object files that it archives are for linking into kernel-mode drivers. The corresponding source files evidently and perhaps even naturally included Microsoft’s private FSRTL.H. Fortunately, these files were built using a pre-compiled header and the library also archives an object file that was a by-product of creating the pre-compiled header. It thus records not only the types that were regarded as used for any compilation of a source file but all the types that might get used:
| Line Number | Type | NTOSIFS.H |
|---|---|---|
| 353 | struct _ECP_LIST | 1669 |
| 380 | struct _ECP_HEADER | 1696 |
| 700 | struct _NONOPAQUE_OPLOCK | |
| 844 | struct _WAITING_IRP | |
| 909 | struct _RH_OP_CONTEXT | |
| 969 | struct _DELAY_ACK_FO | |
| 996 | struct _OPLOCK_FOEXT | |
| 1023 | struct _FSRTL_EOF_LOCK | 1793 |
| 1114 | struct _TIERING_HEAT_DATA | 1884 |
| 1252 | enum _FSRTL_APP_TERMINATE_REASON | 2022 |