The largest WinAPI structure

[Lunasole]

I was curious how large WinAPI structures can be ("interesting useless statistics"), and seems that DEVMODE is largest one ^^ It is used in functions like CreateDC ().

It has 34 fields. Every included stucture or structure union counted as 1 field, and fields of included structures tree not counting.

Code: Select all

Structure DEVMODE
    dmDeviceName.c[32]
    dmSpecVersion.w
    dmDriverVersion.w
    dmSize.w
    dmDriverExtra.w
    dmFields.l
    dmOrientation.w
    dmPaperSize.w
    dmPaperLength.w
    dmPaperWidth.w
    dmScale.w
    dmCopies.w
    dmDefaultSource.w
    dmPrintQuality.w
    dmColor.w
    dmDuplex.w
    dmYResolution.w
    dmTTOption.w
    dmCollate.w
    dmFormName.c[32]
    dmLogPixels.w
    dmBitsPerPel.l
    dmPelsWidth.l
    dmPelsHeight.l
    StructureUnion
        dmDisplayFlags.l
        dmNup.l
    EndStructureUnion
    dmDisplayFrequency.l
    dmICMMethod.l
    dmICMIntent.l
    dmMediaType.l
    dmDitherType.l
    dmReserved1.l
    dmReserved2.l
    dmPanningWidth.l
    dmPanningHeight.l
EndStructure

[Mijikai]

How about PEB:

Code: Select all

typedef struct _PEB
{
     UCHAR InheritedAddressSpace;
     UCHAR ReadImageFileExecOptions;
     UCHAR BeingDebugged;
     UCHAR BitField;
     ULONG ImageUsesLargePages: 1;
     ULONG IsProtectedProcess: 1;
     ULONG IsLegacyProcess: 1;
     ULONG IsImageDynamicallyRelocated: 1;
     ULONG SpareBits: 4;
     PVOID Mutant;
     PVOID ImageBaseAddress;
     PPEB_LDR_DATA Ldr;
     PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
     PVOID SubSystemData;
     PVOID ProcessHeap;
     PRTL_CRITICAL_SECTION FastPebLock;
     PVOID AtlThunkSListPtr;
     PVOID IFEOKey;
     ULONG CrossProcessFlags;
     ULONG ProcessInJob: 1;
     ULONG ProcessInitializing: 1;
     ULONG ReservedBits0: 30;
     union
     {
          PVOID KernelCallbackTable;
          PVOID UserSharedInfoPtr;
     };
     ULONG SystemReserved[1];
     ULONG SpareUlong;
     PPEB_FREE_BLOCK FreeList;
     ULONG TlsExpansionCounter;
     PVOID TlsBitmap;
     ULONG TlsBitmapBits[2];
     PVOID ReadOnlySharedMemoryBase;
     PVOID HotpatchInformation;
     VOID * * ReadOnlyStaticServerData;
     PVOID AnsiCodePageData;
     PVOID OemCodePageData;
     PVOID UnicodeCaseTableData;
     ULONG NumberOfProcessors;
     ULONG NtGlobalFlag;
     LARGE_INTEGER CriticalSectionTimeout;
     ULONG HeapSegmentReserve;
     ULONG HeapSegmentCommit;
     ULONG HeapDeCommitTotalFreeThreshold;
     ULONG HeapDeCommitFreeBlockThreshold;
     ULONG NumberOfHeaps;
     ULONG MaximumNumberOfHeaps;
     VOID * * ProcessHeaps;
     PVOID GdiSharedHandleTable;
     PVOID ProcessStarterHelper;
     ULONG GdiDCAttributeList;
     PRTL_CRITICAL_SECTION LoaderLock;
     ULONG OSMajorVersion;
     ULONG OSMinorVersion;
     WORD OSBuildNumber;
     WORD OSCSDVersion;
     ULONG OSPlatformId;
     ULONG ImageSubsystem;
     ULONG ImageSubsystemMajorVersion;
     ULONG ImageSubsystemMinorVersion;
     ULONG ImageProcessAffinityMask;
     ULONG GdiHandleBuffer[34];
     PVOID PostProcessInitRoutine;
     PVOID TlsExpansionBitmap;
     ULONG TlsExpansionBitmapBits[32];
     ULONG SessionId;
     ULARGE_INTEGER AppCompatFlags;
     ULARGE_INTEGER AppCompatFlagsUser;
     PVOID pShimData;
     PVOID AppCompatInfo;
     UNICODE_STRING CSDVersion;
     _ACTIVATION_CONTEXT_DATA * ActivationContextData;
     _ASSEMBLY_STORAGE_MAP * ProcessAssemblyStorageMap;
     _ACTIVATION_CONTEXT_DATA * SystemDefaultActivationContextData;
     _ASSEMBLY_STORAGE_MAP * SystemAssemblyStorageMap;
     ULONG MinimumStackCommit;
     _FLS_CALLBACK_INFO * FlsCallback;
     LIST_ENTRY FlsListHead;
     PVOID FlsBitmap;
     ULONG FlsBitmapBits[4];
     ULONG FlsHighIndex;
     PVOID WerRegistrationData;
     PVOID WerShipAssertPtr;
} PEB, *PPEB;

[Lunasole]

How about PEB

Nice size, but it's kernel-mode struct, not Win API

[Keya]

process can read its own PEB and TEB from usermode no problems - address can be obtained in PROCESS_BASIC_INFORMATION, or simply "mov eax, fs:[$18]", and can read other processes PEB/TEBs with ReadProcessMemory

[freak]

The largest one defined in PB (x64) is CONTEXT with 44 fields:

Code: Select all

Structure CONTEXT
  P1Home.i
  P2Home.i
  P3Home.i
  P4Home.i
  P5Home.i
  P6Home.i
  ContextFlags.l
  MxCsr.l
  SegCs.w
  SegDs.w
  SegEs.w
  SegFs.w
  SegGs.w
  SegSs.w
  EFlags.l
  Dr0.i
  Dr1.i
  Dr2.i
  Dr3.i
  Dr6.i
  Dr7.i
  Rax.i
  Rcx.i
  Rdx.i
  Rbx.i
  Rsp.i
  Rbp.i
  Rsi.i
  Rdi.i
  R8.i
  R9.i
  R10.i
  R11.i
  R12.i
  R13.i
  R14.i
  R15.i
  Rip.i
  FltSave.XMM_SAVE_AREA32
  VectorRegister.M128A[26]
  VectorControl.i
  DebugControl.i
  LastBranchToRip.i
  LastBranchFromRip.i
  LastExceptionToRip.i
  LastExceptionFromRip.i
EndStructure

Of course if you count members of structure unions, then VARIANT wins easily.

[nco2k]

yep and PROPVARIANT is even worse.

http://purebasic.fr/english/viewtopic.p ... 11#p489811

c ya,
nco2k