1============================================================== 2= = 3= NOTES FROM THE UNDERGROUND = 4= = 5============================================================== 6Below are some of Alex's notes on the mysterious LPC Subsystem 7 8========================= 91. Sizes, sizes, sizes... 10========================= 11 12There are four imporant LPC Sizes to keep in mind. Try to understand them: 13 14/* 15 * This determines the absolute maximum message size (0x100 bytes). For 16 * larger values, use a section-backed message. 17 */ 18#define PORT_MAXIMUM_MESSAGE_LENGTH 256 19 20/* 21 * This determines the maximum length of an LPC request. It is the largest 22 * amount of bytes that an LPC request can take. To calculate this, assume 23 * that this is a CONNECTION_REQUEST message, which includes the additionnal 24 * LPCP_CONNECTION_MESSAGE structure as well. Therefore, we add the kernel LPC, 25 * header, the maximum port size and the size of the connection request 26 * structure. This gives a value of 0x15C. However, one must note that NT 27 * allocates the Lookaside List using a 16-byte aligned value, making this 28 * number 0x160. 29 */ 30#define LPCP_MAX_MESSAGE_SIZE ROUND_UP(PORT_MAXIMUM_MESSAGE_LENGTH + \ 31 sizeof(LPCP_MESSAGE) + \ 32 sizeof(LPCP_CONNECTION_MESSAGE), 16) 33 34/* 35 * Now, for an actual LPC Request size, we remove the kernel LPC header, which 36 * yields the size of the actual LPC Data that follows the Header, making this 37 * number 0x148. 38 */ 39#define LPC_MAX_MESSAGE_LENGTH (LPCP_MAX_MESSAGE_SIZE - \ 40 FIELD_OFFSET(LPCP_MESSAGE, Request)) 41 42/* 43 * Finally, we'll calculate the maximum size of the Connection Info, giving us 44 * 0x104 45 */ 46#define LPC_MAX_DATA_LENGTH (LPC_MAX_MESSAGE_LENGTH - \ 47 sizeof(PORT_MESSAGE) - \ 48 sizeof(LPCP_CONNECTION_MESSAGE)) 49 50========================== 512. Structures 52========================== 53SOON. TODO. 54