While running the gen_csrss_offsets.py script, I am running into a KeyError for RtlpEnvironLookupTable. I'm not sure why I get this error since the PDBs from Microsoft server were downloaded correctly.

The exact error generated is.

My configuration are:
Python version - 2.7.18 - 64 bit
Windows Build version - 21343.1000

Ok. I'll try with that.

Here's the ntdll.dll file - https://drive.google.com/file/d/1ry26kkKyhHDf9HJHUdHi7MFJBtLdO0n5/view?usp=sharing

Here's it's pdb file - https://drive.google.com/file/d/1VVYpF6AQlVfEMFL-wNKAZH4v9PXc3Cjv/view?usp=sharing

Hi, try replacing RtlpEnvironLookupTable with RtlpCurDirRef in the script, see if this works. I included a modified version for you to try. gen_csrss_offsets.zip

Closed due to inactivity

@stong first of all, thanks to you and all the team for sharing winnie and coming up with such a clever workaround to forking on Windows.
I'm working some changes on forklib to make winnie work on Windows 11 and stumbled with this same issue.

Could you share the reasoning behind choosing the RtlpEnvironLookupTable function (now missing from the ntdll.dll) as bounding offset of a range?

I want to understand exactly why this symbol was chosen so I can build a generator that works with any version of ntdll.dll.

Hi. Apologies for delayed response. I've been very busy lately.

If memory serves, the important fields to zero out are described in this comment here: https://github.com/sslab-gatech/winnie/blob/master/forklib/gen_csrss_offsets.py#L164

So those are the most important fields, namely the Csr related ones. RtlpCurDirRef and RtlpEnvironLookupTable also were important to zero, but I don't know why.

There were many changes from Win10 to Win11. No guarantee if Win11 can be supported, although there's a possibility.

Good luck!