Brute forcing graphics driver query data

When doing research for work, I usually start by opening up some common core Windows dynamic library exposed to usermode. Usually, I don't find many things too fruitful. This is one of those cases, but because it is so undocumented I decided to take a look anyway.

The function I came across was D3DKMTCreateOverlay. It was exposed by gdi32.dll, but I believe entrypoints exist in several modules (dxgi for example).

Why not so fruitful? This interface requires proprietary information to function, and you need to pass data to it to activate an overlay with a structure definition only your video card (and perhaps other models like it) can understand.

Specifically, D3DKMT_CREATEOVERLAY::OverlayInfo which has the type D3DDDI_KERNELOVERLAYINFO. In that structure is pPrivateDriverData which is a pointer to data your video driver will digest, it has an unknown size and format. I thought to myself, I can brute force the size, but the data is impossible unless I knew the format. Maybe I'll get to that at a later time, but while thinking about this concept I ran into the function D3DKMTQueryAdapterInfo.

You'll notice a few fields of known size, but there are a few unknowns, and undocumented things I'd like to talk about here.

First, I needed to figure out how to get simple things from the APIs, because D3DKMTQueryAdapterInfo requires a hAdapter field to return data.

I found these examples online (Windows Kernel Graphics
Driver Attack Surface
, and Direct X – Direct way to
Microsoft Windows Kernel
) originally meant to fuzz video drivers for vulnerabilities (so you can see how close to the metal we are with these APIs)

So with that, I created (basically copy pasted) this:

typedef NTSTATUS (*D3DKMTCreateDevice_t)(_Inout_ D3DKMT_CREATEDEVICE *pData);  
typedef NTSTATUS (*D3DKMTDestroyDevice_t)(_In_ const D3DKMT_DESTROYDEVICE *pData);  
typedef NTSTATUS (*D3DKMTCreateContext_t)(_Inout_ D3DKMT_CREATECONTEXT *pData);  
typedef NTSTATUS (*D3DKMTOpenAdapterFromHdc_t)(_Inout_ D3DKMT_OPENADAPTERFROMHDC *pData);  
typedef NTSTATUS (*D3DKMTCloseAdapter_t)(_In_ const D3DKMT_CLOSEADAPTER *pData);  
typedef NTSTATUS (*D3DKMTCreateOverlay_t)(_Inout_ D3DKMT_CREATEOVERLAY *pData);  
typedef NTSTATUS (*D3DKMTDestroyOverlay_t)(_In_ const D3DKMT_DESTROYOVERLAY *pData);  
typedef NTSTATUS (*D3DKMTQueryAdapterInfo_t)(_Inout_ const D3DKMT_QUERYADAPTERINFO *pData);  
typedef NTSTATUS (*D3DKMTQueryResourceInfoFromNtHandle_t)(_Inout_ D3DKMT_QUERYRESOURCEINFOFROMNTHANDLE *pData);

D3DKMTCreateDevice_t pD3DKMTCreateDevice = nullptr;  
D3DKMTDestroyDevice_t pD3DKMTDestroyDevice = nullptr;  
D3DKMTCreateContext_t pD3DKMTCreateContext = nullptr;  
D3DKMTOpenAdapterFromHdc_t pD3DKMTOpenAdapterFromHdc = nullptr;  
D3DKMTCloseAdapter_t pD3DKMTCloseAdapter = nullptr;  
D3DKMTCreateOverlay_t pD3DKMTCreateOverlay = nullptr;  
D3DKMTDestroyOverlay_t pD3DKMTDestroyOverlay = nullptr;  
D3DKMTQueryAdapterInfo_t pD3DKMTQueryAdapterInfo = nullptr;  
D3DKMTQueryResourceInfoFromNtHandle_t pD3DKMTQueryResourceInfoFromNtHandle = nullptr;

int main()  
{
    HMODULE hGDI32 = LoadLibrary(L"gdi32.dll");
    if (!hGDI32)
    {
        printf("Unable to locate gdi32.dll...\n");
        return 1;
    }

    pD3DKMTCreateDevice = (D3DKMTCreateDevice_t)
        GetProcAddress(hGDI32, "D3DKMTCreateDevice");

    pD3DKMTDestroyDevice = (D3DKMTDestroyDevice_t)
        GetProcAddress(hGDI32, "D3DKMTDestroyDevice");

    pD3DKMTOpenAdapterFromHdc = (D3DKMTOpenAdapterFromHdc_t)
        GetProcAddress(hGDI32, "D3DKMTOpenAdapterFromHdc");

    pD3DKMTCloseAdapter = (D3DKMTCloseAdapter_t)
        GetProcAddress(hGDI32, "D3DKMTCloseAdapter");

    pD3DKMTCreateOverlay = (D3DKMTCreateOverlay_t)
        GetProcAddress(hGDI32, "D3DKMTCreateOverlay");

    pD3DKMTDestroyOverlay = (D3DKMTDestroyOverlay_t)
        GetProcAddress(hGDI32, "D3DKMTDestroyOverlay");

    pD3DKMTQueryAdapterInfo = (D3DKMTQueryAdapterInfo_t)
        GetProcAddress(hGDI32, "D3DKMTQueryAdapterInfo");

    pD3DKMTQueryResourceInfoFromNtHandle = (D3DKMTQueryResourceInfoFromNtHandle_t)
        GetProcAddress(hGDI32, "D3DKMTQueryResourceInfoFromNtHandle");

    if (!pD3DKMTCreateDevice ||
        !pD3DKMTDestroyDevice ||
        !pD3DKMTOpenAdapterFromHdc ||
        !pD3DKMTCloseAdapter ||
        !pD3DKMTCreateOverlay ||
        !pD3DKMTDestroyOverlay ||
        !pD3DKMTQueryAdapterInfo ||
        !pD3DKMTQueryResourceInfoFromNtHandle)
    {
        printf("Unable to locate export from gdi32.dll...\n");
        return 1;
    }

    DISPLAY_DEVICE dd;
    memset(&dd, 0, sizeof(dd));
    dd.cb = sizeof dd;

    for (int i = 0; EnumDisplayDevices(NULL, i, &dd, 0); ++i) {
        if (dd.StateFlags & DISPLAY_DEVICE_PRIMARY_DEVICE) {
            break;
        }
    }

    HDC hDC = CreateDC(NULL, dd.DeviceName, NULL, NULL);
    if (!hDC)
    {
        printf("Unable to obtain primary DC...\n");
        return 1;
    }

    D3DKMT_OPENADAPTERFROMHDC oafh;
    ZeroMemory(&oafh, sizeof(D3DKMT_OPENADAPTERFROMHDC));

    oafh.hDc = hDC;

    NTSTATUS status = pD3DKMTOpenAdapterFromHdc(&oafh);
    if (status != 0)
    {
        printf("Failed D3DKMTOpenAdapterFromHdc (0x%X)\n", status);
        goto finish;
    }

    printf("Obtained adapter (0x%X, 0x%X, 0x%X:0x%X)\n", 
        oafh.hAdapter, oafh.VidPnSourceId, oafh.AdapterLuid.HighPart, oafh.AdapterLuid.LowPart);

    D3DKMT_CREATEDEVICE cdev;
    memset(&cdev, 0x00, sizeof(cdev));
    cdev.hAdapter = oafh.hAdapter;

    status = pD3DKMTCreateDevice(&cdev);
    if (status != 0)
    {
        printf("Failed D3DKMTCreateDevice (0x%X)\n", status);
        goto finish;
    }

    printf("Created device (0x%X, 0x%X)\n", cdev.hDevice, cdev.Flags);

    if (cdev.hDevice)
    {
        D3DKMT_DESTROYDEVICE ded;
        ded.hDevice = cdev.hDevice;

        if (pD3DKMTDestroyDevice(&ded) == 0)
            printf("Destroyed device.\n");
        else
            printf("Failed to destroy device.\n");
    }

    if (oafh.hAdapter)
    {
        D3DKMT_CLOSEADAPTER ca;
        ca.hAdapter = oafh.hAdapter;

        if (pD3DKMTCloseAdapter(&ca) == 0)
            printf("Closed adapter.\n");
        else
            printf("Failed to close adapter.\n");
    }

    DeleteDC(hDC);

    return 0;
}

Didn't include all the definitions here, but the important bits are available online. Most of them are easily found, but one is actually not documented very well, KMTQUERYADAPTERINFOTYPE so I'll include it

typedef enum _KMTQUERYADAPTERINFOTYPE  
{
    KMTQAITYPE_UMDRIVERPRIVATE = 0,
    KMTQAITYPE_UMDRIVERNAME = 1,
    KMTQAITYPE_UMOPENGLINFO = 2,
    KMTQAITYPE_GETSEGMENTSIZE = 3,
    KMTQAITYPE_ADAPTERGUID = 4,
    KMTQAITYPE_FLIPQUEUEINFO = 5,
    KMTQAITYPE_ADAPTERADDRESS = 6,
    KMTQAITYPE_SETWORKINGSETINFO = 7,
    KMTQAITYPE_ADAPTERREGISTRYINFO = 8,
    KMTQAITYPE_CURRENTDISPLAYMODE = 9,
    KMTQAITYPE_MODELIST = 10,
    KMTQAITYPE_CHECKDRIVERUPDATESTATUS = 11,
    KMTQAITYPE_VIRTUALADDRESSINFO = 12, // _ADVSCH_
    KMTQAITYPE_DRIVERVERSION = 13,
    KMTQAITYPE_ADAPTERTYPE = 15,
    KMTQAITYPE_OUTPUTDUPLCONTEXTSCOUNT = 16,
    KMTQAITYPE_WDDM_1_2_CAPS = 17,
    KMTQAITYPE_UMD_DRIVER_VERSION = 18,
    KMTQAITYPE_DIRECTFLIP_SUPPORT = 19,
    KMTQAITYPE_MULTIPLANEOVERLAY_SUPPORT = 20,
    KMTQAITYPE_DLIST_DRIVER_NAME = 21,
    KMTQAITYPE_WDDM_1_3_CAPS = 22,
    KMTQAITYPE_MULTIPLANEOVERLAY_HUD_SUPPORT = 23,
    KMTQAITYPE_WDDM_2_0_CAPS = 24,
    KMTQAITYPE_NODEMETADATA = 25,
    KMTQAITYPE_CPDRIVERNAME = 26,
    KMTQAITYPE_XBOX = 27,
    KMTQAITYPE_INDEPENDENTFLIP_SUPPORT = 28,
    KMTQAITYPE_MIRACASTCOMPANIONDRIVERNAME = 29,
    KMTQAITYPE_PHYSICALADAPTERCOUNT = 30,
    KMTQAITYPE_PHYSICALADAPTERDEVICEIDS = 31,
    KMTQAITYPE_DRIVERCAPS_EXT = 32,
    KMTQAITYPE_QUERY_MIRACAST_DRIVER_TYPE = 33,
    KMTQAITYPE_QUERY_GPUMMU_CAPS = 34,
    KMTQAITYPE_QUERY_MULTIPLANEOVERLAY_DECODE_SUPPORT = 35,
} KMTQUERYADAPTERINFOTYPE;

You'll notice a few from the microsoft documentation for D3DKMT_QUERYADAPTERINFO available.

The main ones I want to talk about are:

KMTQAITYPE_UMDRIVERPRIVATE  
KMTQAITYPE_VIRTUALADDRESSINFO  
KMTQAITYPE_MULTIPLANEOVERLAY_SUPPORT  
KMTQAITYPE_DLIST_DRIVER_NAME  
KMTQAITYPE_WDDM_1_3_CAPS  
KMTQAITYPE_MULTIPLANEOVERLAY_HUD_SUPPORT  
KMTQAITYPE_WDDM_2_0_CAPS  
KMTQAITYPE_NODEMETADATA  
KMTQAITYPE_CPDRIVERNAME  
KMTQAITYPE_XBOX  
KMTQAITYPE_INDEPENDENTFLIP_SUPPORT  
KMTQAITYPE_MIRACASTCOMPANIONDRIVERNAME  
KMTQAITYPE_PHYSICALADAPTERCOUNT  
KMTQAITYPE_PHYSICALADAPTERDEVICEIDS  
KMTQAITYPE_DRIVERCAPS_EXT  
KMTQAITYPE_QUERY_MIRACAST_DRIVER_TYPE  
KMTQAITYPE_QUERY_GPUMMU_CAPS  
KMTQAITYPE_QUERY_MULTIPLANEOVERLAY_DECODE_SUPPORT  

These don't appear in documentation, so let's focus on them.

We have our adapter, so we can start querying information. Notice that the function returns an NTSTATUS code! You can check for invalid size NTSTATUS code, or just keep going until it succeeds with a large buffer and see what happens.

I started with this:

void print_bytes(void *p, size_t size)  
{
    unsigned char *c = (unsigned char *)p;

    printf("B { ");
    for (size_t i = 0; i < size; i++)
    {
        if (i == (size - 1))
        {
            printf("0x%02X }\n", c[i]);
        }
        else
        {
            printf("0x%02X, ", c[i]);
        }
    }

    printf("W { ");
    for (size_t i = 0; i < size; i += sizeof(wchar_t))
    {
        if (i == (size - 2))
        {
            printf("%C }\n", *(wchar_t*)&c[i]);
        }
        else
        {
            printf("%C, ", *(wchar_t*) &c[i]);
        }
    }
}

size_t GetQueryDataSize(D3DKMT_HANDLE hAdapter, KMTQUERYADAPTERINFOTYPE type)  
{
    unsigned char data[0x4000];
    D3DKMT_QUERYADAPTERINFO qa;
    qa.hAdapter = hAdapter;
    qa.Type = type;
    qa.pPrivateDriverData = data;

    for (size_t i = 1; i < 0x4000; i++)
    {   
        qa.PrivateDriverDataSize = i;

        if (D3DKMTQueryAdapterInfo(&qa) == 0)
            return qa.PrivateDriverDataSize;
    }

    return 0;
}

#define GET_QUERY_SIZE(A, T) do { \
    size_t s = GetQueryDataSize(A, T); \
    printf("%s = 0x%X\n", #T, s); \
    unsigned char *data = new unsigned char[s]; \
    if (data != nullptr && s > 0) { \
        D3DKMT_QUERYADAPTERINFO qa; \
        qa.hAdapter = A; \
        qa.Type = T; \
        qa.pPrivateDriverData = data; \
        qa.PrivateDriverDataSize = s; \
        status = pD3DKMTQueryAdapterInfo(&qa); \
        if (status == 0) { \
            print_bytes(data, s); \
        } \
        delete[] data; \
    } \
} while (0);

This allows me to discover the size of a given type, and print the data once found.

Let's just run it through everything! Here's what I ended up with:

GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_UMDRIVERPRIVATE);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_VIRTUALADDRESSINFO);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_MULTIPLANEOVERLAY_SUPPORT);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_DLIST_DRIVER_NAME);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_WDDM_1_3_CAPS);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_MULTIPLANEOVERLAY_HUD_SUPPORT);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_WDDM_2_0_CAPS);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_NODEMETADATA);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_CPDRIVERNAME);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_XBOX);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_INDEPENDENTFLIP_SUPPORT);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_MIRACASTCOMPANIONDRIVERNAME);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_PHYSICALADAPTERCOUNT);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_PHYSICALADAPTERDEVICEIDS);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_DRIVERCAPS_EXT);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_QUERY_MIRACAST_DRIVER_TYPE);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_QUERY_GPUMMU_CAPS);  
GET_QUERY_SIZE(oafh.hAdapter, KMTQAITYPE_QUERY_MULTIPLANEOVERLAY_DECODE_SUPPORT);  

The output:

KMTQAITYPE_UMDRIVERPRIVATE = 0x960  
B { 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x27, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5C, 0x00, 0x52, 0x00, 0x65, 0x00, 0x67, 0x00, 0x69, 0x00, 0x73, 0x00, 0x74, 0x00, 0x72, 0x00, 0x79, 0x00, 0x5C, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x63, 0x00, 0x68, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x5C, 0x00, 0x53, 0x00, 0x79, 0x00, 0x73, 0x00, 0x74, 0x00, 0x65, 0x00, 0x6D, 0x00, 0x5C, 0x00, 0x43, 0x00, 0x75, 0x00, 0x72, 0x00, 0x72, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x6C, 0x00, 0x53, 0x00, 0x65, 0x00, 0x74, 0x00, 0x5C, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x72, 0x00, 0x6F, 0x00, 0x6C, 0x00, 0x5C, 0x00, 0x43, 0x00, 0x6C, 0x00, 0x61, 0x00, 0x73, 0x00, 0x73, 0x00, 0x5C, 0x00, 0x7B, 0x00, 0x34, 0x00, 0x64, 0x00, 0x33, 0x00, 0x36, 0x00, 0x65, 0x00, 0x39, 0x00, 0x36, 0x00, 0x38, 0x00, 0x2D, 0x00, 0x65, 0x00, 0x33, 0x00, 0x32, 0x00, 0x35, 0x00, 0x2D, 0x00, 0x31, 0x00, 0x31, 0x00, 0x63, 0x00, 0x65, 0x00, 0x2D, 0x00, 0x62, 0x00, 0x66, 0x00, 0x63, 0x00, 0x31, 0x00, 0x2D, 0x00, 0x30, 0x00, 0x38, 0x00, 0x30, 0x00, 0x30, 0x00, 0x32, 0x00, 0x62, 0x00, 0x65, 0x00, 0x31, 0x00, 0x30, 0x00, 0x33, 0x00, 0x31, 0x00, 0x38, 0x00, 0x7D, 0x00, 0x5C, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x6E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x9C, 0x2D, 0x11, 0x00, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x09, 0x00, 0x00 }  
W {  , , ,  , ,  , ,  ,  ,  , ,  ,  ,  , ,  ,  ,  , ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  , \, R, e, g, i, s, t, r, y, \, M, a, c, h, i, n, e, \, S, y, s, t, e, m, \, C, u, r, r, e, n, t, C, o, n, t, r, o, l, S, e, t, \, C, o, n, t, r, o, l, \, C, l, a, s, s, \, {, 4, d, 3, 6, e, 9, 6, 8, -, e, 3, 2, 5, -, 1, 1, c, e, -, b, f, c, 1, -, 0, 8, 0, 0, 2, b, e, 1, 0, 3, 1, 8, }n,  ,  ,  ,  ,  ,  ,  ,  ,  , ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  , , , ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  ,  , ,   }  
KMTQAITYPE_VIRTUALADDRESSINFO = 0x4  
B { 0x01, 0x00, 0x00, 0x00 }  
W { ,   }  
KMTQAITYPE_MULTIPLANEOVERLAY_SUPPORT = 0x4  
B { 0x00, 0x00, 0x00, 0x00 }  
W {  ,   }  
KMTQAITYPE_DLIST_DRIVER_NAME = 0x0  
KMTQAITYPE_WDDM_1_3_CAPS = 0x4  
B { 0x10, 0x00, 0x00, 0x00 }  
W { ,   }  
KMTQAITYPE_MULTIPLANEOVERLAY_HUD_SUPPORT = 0x0  
KMTQAITYPE_WDDM_2_0_CAPS = 0x4  
B { 0x02, 0x00, 0x00, 0x00 }  
W { ,   }  
KMTQAITYPE_NODEMETADATA = 0x0  
KMTQAITYPE_CPDRIVERNAME = 0x208  
B { 0x61, 0x00, 0x6D, 0x00, 0x64, 0x00, 0x6D, 0x00, 0x69, 0x00, 0x72, 0x00, 0x61, 0x00, 0x63, 0x00, 0x61, 0x00, 0x73, 0x00, 0x74, 0x00, 0x2E, 0x00, 0x64, 0x00, 0x6C, 0x00, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }  
W { a, m, d, m, i, r, a, c, a, s, t, ., d, l, l}  
KMTQAITYPE_XBOX = 0x4  
B { 0x00, 0x00, 0x00, 0x00 }  
W {  ,   }  
KMTQAITYPE_INDEPENDENTFLIP_SUPPORT = 0x4  
B { 0x01, 0x00, 0x00, 0x00 }  
W { ,   }  
KMTQAITYPE_MIRACASTCOMPANIONDRIVERNAME = 0x208  
B { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }  
W {}  
KMTQAITYPE_PHYSICALADAPTERCOUNT = 0x4  
B { 0x01, 0x00, 0x00, 0x00 }  
W { ,   }  
KMTQAITYPE_PHYSICALADAPTERDEVICEIDS = 0x0  
KMTQAITYPE_DRIVERCAPS_EXT = 0x4  
B { 0x01, 0x00, 0x00, 0x00 }  
W { ,   }  
KMTQAITYPE_QUERY_MIRACAST_DRIVER_TYPE = 0x4  
B { 0x02, 0x00, 0x00, 0x00 }  
W { ,   }  
KMTQAITYPE_QUERY_GPUMMU_CAPS = 0x0  
KMTQAITYPE_QUERY_MULTIPLANEOVERLAY_DECODE_SUPPORT = 0x4  
B { 0x00, 0x00, 0x00, 0x00 }  
W {  ,   }  

I found out pretty quickly based on the PDFs mentioned previously, and after seeing some of this data, that the string format they use is WIDE and most strings are paths, which are WCHAR[MAX_PATH] in size. (0x208)

Let's start with the obvious ones

  • Not entirely sure what KMTQAITYPE_VIRTUALADDRESSINFO is about
  • KMTQAITYPE_MULTIPLANEOVERLAY_SUPPORT returns a four byte integer which is 1 if your card/driver supports multiplane overlays, and presumably zero if not (mine is 1)
  • The documentation claims KMTQAITYPE_WDDM_1_3_CAPS is reserved for future use, but it has information in it. Presumably some flags regarding WDDM 1.3 (and I can assume they're flags because D3DKMT_WDDM_1_2_CAPS actually is documented here. I would assume a similar structure/series of set bits is represented here)
  • KMTQAITYPE_MULTIPLANEOVERLAY_HUD_SUPPORT returns zero for me (unable to find size or the query function simply failed), but I assume on video cards that support this code, that is is exactly like KMTQAITYPE_MULTIPLANEOVERLAY_SUPPORT which returns a 4 byte integer (1 supports it, 0 does not)
  • KMTQAITYPE_WDDM_2_0_CAPS is probably a lot like KMTQAITYPE_WDDM_1_3_CAPS
  • KMTQAITYPE_NODEMETADATA - unknown on my card
  • KMTQAITYPE_CPDRIVERNAME returns a WCHAR[MAX_PATH] string which is the name of the "CPDRIVERNAME" (in my case "amdmiracast.dll")
  • KMTQAITYPE_XBOX returns four bytes of data which I assume to be (though speculation alone) 1 if you are an xbox, and 0 if you are not an xbox. This is zero on my machine.
  • KMTQAITYPE_INDEPENDENTFLIP_SUPPORT returns a four byte integer, 1 if you support and 0 if you don't.
  • KMTQAITYPE_MIRACASTCOMPANIONDRIVERNAME has a size of 0x208, so I assume it returns a WCHAR[MAX_PATH] type but all the data is zero. Probably not supported by my card.
  • KMTQAITYPE_PHYSICALADAPTERCOUNT returns a four byte integer on my machine, and I would assume it is the number of physical adapters on your machine (I only have one video card, and it returns 1 for me)
  • KMTQAITYPE_PHYSICALADAPTERDEVICEIDS - unknown
  • KMTQAITYPE_DRIVERCAPS_EXT a four byte integer that returns your driver 'capabilities' (caps) - unknown format
  • KMTQAITYPE_QUERY_MIRACAST_DRIVER_TYPE if your card supports miracast, I guess this is some number that represents the type it is.
  • KMTQAITYPE_QUERY_MULTIPLANEOVERLAY_DECODE_SUPPORT four bytes, integer, 0 if you don't and 1 if you do, you know the drill.

OKAY

So let's talk about the one I didn't, KMTQAITYPE_UMDRIVERPRIVATE. This thing returns nearly a page of data at 0x960 bytes, there appears to be some registry path inside of it, and other miscellaneous information. Format is unknown to me, but the registry path contained within it (at offset 0x3C), what's odd is following the string, there appears to be 3 other completely blank strings contained within.

4 total with the registry. From 0x3C, the data doesn't continue until 0x85C. 0x85C = (0x3C + sizeof(WCHAR[MAX_PATH]) * 4)

After some pretty weak RE I came up with something like this:

struct AMD_PRIVATE_DATA {  
    WORD unk0;          // 0000 (Value = 0)
    WORD unk1;          // 0002 (Value = 2)
    DWORD unk2;             // 0004 (Value = 1)
    DWORD unk3;         // 0008 (Value = 1)
    DWORD unk4;         // 000C (Value = 4098)
    DWORD unk5;         // 0010 (Value = 0)
    DWORD unk6;         // 0014 (Value = 26648)
    DWORD unk7;         // 0018 (Value = 0)
    DWORD unk8;         // 001C (Value = 10048)
    DWORD unk9;         // 0020 (Value = 0)
    DWORD unk10;            // 0024 (Value = 5218)
    __int64 unk11;          // 0028 (Value = 0)
    __int64 unk12;          // 0030 (Value = 0)
    WORD unk13;         // 0038 (Value = 0)
    WORD unk14;         // 003A (Value = 0)
    WCHAR registry_path[MAX_PATH];  // 003C
    WCHAR unk_path_01[MAX_PATH];    // 0244
    WCHAR unk_path_02[MAX_PATH];    // 044C
    WCHAR unk_path_03[MAX_PATH];    // 0654
    DWORD unk15;            // 085C (Value = 512)
    DWORD unk16;            // 0860 (Value = 110)
    __int64 unk17;          // 0864 (Value = 0)
    __int64 unk18;          // 086C (Value = 0)
    DWORD unk19;            // 0874 (Value = 21)
    DWORD unk20;            // 0878 (Value = 0)
    __int64 unk21;          // 087C (Value = 0)
    __int64 unk22;          // 0884 (Value = 0)
    __int64 unk23;          // 088C (Value = 0)
    __int64 unk24;          // 0894 (Value = 0)
    __int64 unk25;          // 089C (Value = 0)
    __int64 unk26;          // 08A4 (Value = 0)
    DWORD unk27;            // 08AC (Value = 288201983)
    DWORD unk28;            // 08B0 (Value = 8704)
    char unk29[168];        // 08B4
    DWORD unk30;            // 095C (Value = 2400)
};

Obviously, this isn't complete but it goes to show you can reveal some neat information about your video card through these functions (and with limited user access, too)

Andrew Artz

Read more posts by this author.