Self Referencing Data Structures LISTENTRY By Anand George

Self Referencing Data Structures – LIST_ENTRY By Anand George

LIST_ENTRY • Very commonly used in windows driver code and windows kernel. • Contains forward and backward link. • Normally comes in the middle of the structure. • Used for keeping Circular doubly linked list. • So in the code we may have to subtract the offset to go to the beginning of the record. • From Win. NT. h typedef struct _LIST_ENTRY { struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink; } LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;

CONTAINING_RECORD • • • Automate the subtraction of LIST_ENTRY record. Used to access any specific field. Looks complicated in the initial look but it a matter of getting used to. From win. NT. h Incorrect by C standard as null pointer de reference but almost all compiler generate correct code for this MSVC, gcc etc. And all most all OS kernel Linux, windows, bsd has something similar to below. // // Calculate the address of the base of the structure given its type, and an // address of a field within the structure. // #define CONTAINING_RECORD(address, type, field) ((type *)( (PCHAR)(address) - (ULONG_PTR)(&((type *)0)->field)))

Demo • A doubly linked list with LIST_ENTRY and accessing the elements with CONTAINING_RECORD. • Looking at the dt command of windbg to display the content from the memory to display processes running on a system. • Understanding LIST_ENTRY and containing record.

Summary • LIST_ENTRY • CONTAIN RECORD • Importance.

Thank you