/* offset 0x0 */ struct list entry;
/* offset 0x4 */ GUID id;
/* offset 0x14 */ IChannelHook hook;
/* Size 0x18 */O`k, lets check its disasm code (it was taken from xp sp2 32bit):
push 18h ; dwBytes
push 0 ; dwFlags
push ?g_hHeap@@3PAXA ; int
call ?pfnHeapAlloc@@3P6GPAXPAXKK@ZA ; PrivHeapAlloc(void *,ulong,ulong)
Looks good so far - the size of channel_hook_entry is really 0x18 bytes.
mov esi, [ebp+ExtensionUuid]
mov eax, [ebp+pChannelHook]
lea edi, [ebx+8] ; GUID located at offset 0x8
movsd
movsd
movsd
movsd
mov [ebx+4], eax ; store pChannelHook at offset 0x4 mov eax, ?gHookList@@3USHookList@@A
[ebx], eax ; put ptr to prev list itemAs you can see the real channel_hook_entry has completely different layout:
/* offset 0x0 */ struct list entry;
/* offset 0x4 */ IChannelHook hook;
/* offset 0x8 */ GUID id;
/* Size 0x18 */I am sure that all code of reactos was made using reversing engeneering so this misrepresentations was introduced intentionally. Believe me it is not first time when reactos sources lie. Actually any undocumented internal structures in reactos either have wrong fields layout or monstrously incomplete
This is actually Wine code, which claims they don't use reverse engineering at all ;)
ОтветитьУдалить