I have a structure:
struct IRP
fwType dw ?
cbSize dw ?
MdlAddress dd ?
Flags dd ?
union
AssociatedIrp.MasterIrp dd ?
AssociatedIrp.IrpCount dd ?
AssociatedIrp.SystemBuffer dd ?
ends
ThreadListEntry LIST_ENTRY
IoStatus IO_STATUS_BLOCK
RequestorMode db ?
PendingReturned db ?
StackCount db ?
CurrentLocation db ?
Cancel db ?
CancelIrql db ?
ApcEnvironment db ?
AllocationFlags db ?
UserIosb dd ?
UserEvent dd ?
union
struct
Overlay.AsynchronousParameters.UserApcRoutine dd ?
Overlay.AsynchronousParameters.UserApcContext dd ?
ends
Overlay.AllocationSize dq ?
ends
CancelRoutine dd ?
UserBuffer dd ?
union
struct
union
Tail.Overlay.DeviceQueueEntry KDEVICE_QUEUE_ENTRY
Tail.Overlay.DriverContext rd 4
ends
Tail.Overlay.Thread dd ?
Tail.Overlay.AuxiliaryBuffer dd ?
struct
Tail.ListEntry LIST_ENTRY
union
Tail.Overlay.CurrentStackLocation dd ?
Tail.Overlay.PacketType dd ?
ends
ends
Tail.Overlay.OriginalFileObject dd ?
ends
Tail.Apc KAPC
Tail.CompletionKey dd ?
ends
ends
...and this code woks fine:
virtual at ebx
pIrp IRP
end virtual
mov eax, [pIrp.Tail.Overlay.CurrentStackLocation]
but that one generates an error /'Error: Undefined symbol'/
mov eax, [ebx+IRP.Tail.Overlay.CurrentStackLocation]
What is wrong?
ps: sorry for my english