none
ObfDereferenceObject? RRS feed

  • Question

  • Hi:

    What is the difference between ObfDereferenceObject and ObDereferenceObject ? Could not find any doc on it.

    Thanks in advance...


    leo

    Tuesday, May 26, 2015 7:17 PM

Answers

  • There are a number of functions that have an "f" version.  Take a look at wdm.h you will find that ObDereferenceObject is just a macro to call ObfDereferenceObject.   But ObDereferenceObject is the documented call, use that since you can never be sure the other won't change in the future.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by SJ-Hills Tuesday, May 26, 2015 7:31 PM
    Tuesday, May 26, 2015 7:25 PM
  • The 'f' suffix to any kernel module prefix (there must be a word that means the suffix to the prefix, but I don't know it) denotes that the routine uses a FASTCALL calling convention, where the first two arguments to the routine are passed in registers instead of pushing them on the stack. This is a performance optimization, but it makes it harder to debug. Other examples include IofCallDriver, KfRaiseIrql, and so on. You can mark you own routines FASTCALL using the FASTCALL (which is a macro which means __fastcall) decoration, which is documented here. Not all routines that use the FASTCALL calling convention have the 'f' in the name.

    There are other suffixes to the prefix, such as 'v' for driver verifier hijacks, 'p' denotes a private routine not called from outside the module in which it is defined, 'i' means internal and is similar to 'p'.

     -Brian

    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, May 26, 2015 10:11 PM
    Moderator

All replies

  • There are a number of functions that have an "f" version.  Take a look at wdm.h you will find that ObDereferenceObject is just a macro to call ObfDereferenceObject.   But ObDereferenceObject is the documented call, use that since you can never be sure the other won't change in the future.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by SJ-Hills Tuesday, May 26, 2015 7:31 PM
    Tuesday, May 26, 2015 7:25 PM
  • Thanks!

    leo

    Tuesday, May 26, 2015 7:32 PM
  • The 'f' suffix to any kernel module prefix (there must be a word that means the suffix to the prefix, but I don't know it) denotes that the routine uses a FASTCALL calling convention, where the first two arguments to the routine are passed in registers instead of pushing them on the stack. This is a performance optimization, but it makes it harder to debug. Other examples include IofCallDriver, KfRaiseIrql, and so on. You can mark you own routines FASTCALL using the FASTCALL (which is a macro which means __fastcall) decoration, which is documented here. Not all routines that use the FASTCALL calling convention have the 'f' in the name.

    There are other suffixes to the prefix, such as 'v' for driver verifier hijacks, 'p' denotes a private routine not called from outside the module in which it is defined, 'i' means internal and is similar to 'p'.

     -Brian

    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, May 26, 2015 10:11 PM
    Moderator