Filter Factory - Important virtual memory addresses

Back to technical analysis page

Attention: This page only addresses Filter Factory for Photoshop/Win32

See also an overview of virtual and physical/raw addresses

Virtual address
 PE section PE-Offset
(V. 3.0.4)		 Size Initialized data Usage / Note
code, exec read .text        
PTR DS:[1C001xxxh]          
uninit data, read/write .bss        
PTR DS:[1C006000h]
(1C008000h in 3.00)		 .bss   4   Pointer to the "PARM" resource.
PTR DS:[1C006004h]
(1C008004h in 3.00)		 .bss   4   A pointer to a data structure which contains all important data.
In the "OPER" context, this pointer is assigned by "prolog" to register EDI.
In the program code context, this pointer is read directly from [1C006004h].
It is the *data pointer of the Filter Entrypoint method, that is kept by Photoshop to let the plugin remember its internal state.
It is allocated using GlobalAlloc in 3.00x and Plugin.Dll:NewPtr in 3.0.4 (which itself allocates using GlobalAlloc).
PTR DS:[1C006008h]
(1C008008h in 3.00)		 .bss 4 A pointer the FilterRecord structure (communication between plugin and host)
PTR DS:[1C00600Ch]
(1C00800Ch in 3.00)		 .bss   2   Only available in 3.00, 3.00a, and 3.00b. It is an error flag for various memory/handle allocation procedures.
Possible values are:
- 0000h (noErr): Allocation successful, or currently in progress
- FF91h (memWZErr): Attempt to operate on a free block
- FF93h (nilHandleErr): NULL handle passed to a function
- FF94h (memFullErr): Memory full
init data, read only .rdata        
PTR DS:[1C007000h]
(1C009000h in 3.00)		 .rdata 5200h 8 00 00 00 00 00 00 30 41 Floating point constant for calculation of C2M_LOOKUP. (data-type double, value 1024² = 1048576)
PTR DS:[1C007008h]
(1C009008h in 3.00)		 .rdata 5208h 8 00 00 00 00 00 FC 8F 40 Floating point constant for calculation of C2M_LOOKUP. (data-type double, value 1023.5)
PTR DS:[1C007010h]
(1C009010h in 3.00)		 .rdata 5210h 8 00 00 00 00 00 00 50 40 Floating point constant for calculation of C2M_LOOKUP. (data-type double, value 64)
N/A in 3.0.4
(1C009018h in 3.00)		 .rdata   8 11 DD 52 A2 46 DF 91 3F Only in 3.00, 3.00a, 3.00b : Unknown constant used by probably dead code
N/A in 3.0.4
(1C009020h in 3.00)		 .rdata   8 72 23 5D 1A DC A5 4C 40 Only in 3.00, 3.00a, 3.00b: Unknown constant used by probably dead code
PTR DS:[1C007020h]
(1C009030h in 3.00)		 .rdata 5220h SZ "Filter Factory" Hardcoded string "Filter Factory" (does not get updated if a filter is built).
This string is never used in the disassembly of any FilterFactory version.
All Photoshop plugins of the Photoshop 3.0 era contain such a human-readable name at the end of the .rdata segment.
It was most likely added using the code-line #ident "Filter Factory" or #pragma comment(exestr, "Filter Factory")
(both options don't work with modern versions of Visual C++ anymore).
Side note:
- You can still enforce adding a string using the code-line const volatile dummy = "Filter Factory"
- In Embarcadero Delphi, the compiler-switch {$DESCRIPTION 'Filter Factory'} also adds the string to the .rdata segment.
init data, read/write .data        
PTR DS:[1C008000h]
(1C00A000h in 3.00)		 .data 5400h 4 00 00 00 00 hInstanceDLL
PTR DS:[1C008004h]
(1C00A004h in 3.00)		 .data 5404h 4 00 00 00 00 4th argument (hIcon) for DrawIcon at 1C00195D. Gets only set at 1C001D80 .
PTR DS:[1C008008h]
(N/A in 3.00)		 .data 5408h 4 00 00 00 00 OS Info: 0 if it is WinNT or Windows below version 4.0; 1 otherwise (i.e. Win9x and >= 4.0).
PTR DS:[1C00800Ch]
(N/A in 3.00)		 .data 540Ch 4 00 00 00 00 CreateSolidBrush handle for the window background
If WinNT/Win3x (1C008008 == 0), then 1C00800C = CreateSolidBrush(GetSysColor(5)) // COLOR_WINDOW "White"
If Win9x (1C008008 == 1), then 1C00800C = CreateSolidBrush(GetSysColor(15)) // COLOR_BTNFACE "Gray"
PTR DS:[1C008010h]
(1C00A008h in 3.00)		 .data 5410h 4 00 00 00 00 The WindowMessage-ID the sliders send.
This pointer is set as argument #2 to the function Plugin.dll:RegisterSlider(hInstanceDll, output),
and will be filled by the result of RegisterWindowMessageA("PSSlCmd") inside PLUGIN.DLL
PTR DS:[1C008014h]
(1C00A00Ch in 3.00)		 .data 5414h SZ %RGB-1.0 "%RGB-1.0" string constant for *.afs open/save routines
PTR DS:[1C008020h]
(1C00A018h in 3.00)		 .data 5420h SZ %RGB-1.0 "%RGB-1.0" string constant for *.afs open/save routines
PTR DS:[1C00802Ch]
(1C00A024h in 3.00)		 .data 542Ch SZ 00 00 00 00 "" empty string constant used by *.afs handling open routine
PTR DS:[1C008030h]
(1C00A028h in 3.00)		 .data 5430h SZ 00 00 00 00 "" empty string constant used by *.afs handling save routine
PTR DS:[1C008034h]
(1C00A02Ch in 3.00)		 .data 5434h SZ 0D 00 00 00 "\r", used by a afs handling routines
PTR DS:[1C008038h]
(1C00A030h in 3.00)		 .data 5438h SZ afs n/a
PTR DS:[1C00803Ch]
(1C00A034h in 3.00)		 .data 543Ch SZ afs n/a
PTR DS:[1C008040h]
(1C00A038h in 3.00)		 .data 5440h SZ 8bf n/a
PTR DS:[1C008044h]
(1C00A03Ch in 3.00)		 .data 5444h SZ 8bf n/a
PTR DS:[1C008048h]
(1C00A040h in 3.00)		 .data 5448h SZ ... n/a
PTR DS:[1C00804Ch]
(1C00A044h in 3.00)		 .data 544Ch SZ prolog Internal function name
PTR DS:[1C008054h]
(1C00A04Ch in 3.00)		 .data 5454h SZ epilog Internal function name
PTR DS:[1C00805Ch]
(1C00A054h in 3.00)		 .data 545Ch SZ , n/a
PTR DS:[1C008060h]
(1C00A058h in 3.00)		 .data 5460h SZ ? n/a
PTR DS:[1C008064h]
(1C00A05Ch in 3.00)		 .data 5464h SZ || Infix operator
PTR DS:[1C008068h]
(1C00A060h in 3.00)		 .data 5468h SZ && Infix operator
PTR DS:[1C00806Ch]
(1C00A064h in 3.00)		 .data 546Ch SZ | Infix operator
PTR DS:[1C008070h]
(1C00A068h in 3.00)		 .data 5470h SZ ^ Infix operator
PTR DS:[1C008074h]
(1C00A06Ch in 3.00)		 .data 5474h SZ & Infix operator
PTR DS:[1C008078h]
(1C00A070h in 3.00)		 .data 5478h SZ << Infix operator
PTR DS:[1C00807Ch]
(1C00A074h in 3.00)		 .data 547Ch SZ >> Infix operator
PTR DS:[1C008080h]
(1C00A078h in 3.00)		 .data 5480h SZ == Infix operator
PTR DS:[1C008084h]
(1C00A07Ch in 3.00)		 .data 5484h SZ != Infix operator
PTR DS:[1C008088h]
(1C00A080h in 3.00)		 .data 5488h SZ < Infix operator
PTR DS:[1C00808Ch]
(1C00A084h in 3.00)		 .data 548Ch SZ <= Infix operator
PTR DS:[1C008090h]
(1C00A088h in 3.00)		 .data 5490h SZ > Infix operator
PTR DS:[1C008094h]
(1C00A08Ch in 3.00)		 .data 5494h SZ >= Infix operator
PTR DS:[1C008098h]
(1C00A090h in 3.00)		 .data 5498h SZ + Infix operator
PTR DS:[1C00809Ch]
(1C00A094h in 3.00)		 .data 549Ch SZ - Infix operator
PTR DS:[1C0080A0h]
(1C00A098h in 3.00)		 .data 54A0h SZ * Infix operator
PTR DS:[1C0080A4h]
(1C00A09Ch in 3.00)		 .data 54A4h SZ / Infix operator
PTR DS:[1C0080A8h]
(1C00A0A0h in 3.00)		 .data 54A8h SZ % Infix operator
PTR DS:[1C0080ACh]
(1C00A0A4h in 3.00)		 .data 54ACh SZ ! Unary operator
PTR DS:[1C0080B0h]
(1C00A0A8h in 3.00)		 .data 54B0h SZ ~ Unary operator
PTR DS:[1C0080B4h]
(1C00A0ACh in 3.00)		 .data 54B4h SZ negate Internal function name
PTR DS:[1C0080BCh]
(1C00A0B4h in 3.00)		 .data 54BCh SZ number Internal function name
PTR DS:[1C0080C4h]
(1C00A0BCh in 3.00)		 .data 54C4h SZ error Internal function name
The following functions are only existing in 3.00, 3.00a, and 3.00b:          
(1C00A0C4h in 3.00)       "FOTO" Only in 3.00, 3.00a, 3.00b : "FOTO" is a signature added in Handles created
by the function NewHandle in PIUtilitiesWin.cpp (which is not existing in current SDKs anymore).
(A handle contains a "thing", e.g. a pointer, concatenated with an OSType signature)
(1C00A0C8h in 3.00)       "-" Only in 3.00, 3.00a, 3.00b : ??
(1C00A0D0h in 3.00)     SZ "PSSlData" Only in 3.00, 3.00a, 3.00b : Used for sliders. In 3.0.4 they were moved to PLUGIN.DLL
(1C00A0E0h in 3.00)     SZ "PSSlCmd" Only in 3.00, 3.00a, 3.00b : Used for sliders. In 3.0.4 they were moved to PLUGIN.DLL
(1C00A0E8h in 3.00)       00 00 00 00 Only in 3.00, 3.00a, 3.00b : ?? (Some flag that will get written to)
(1C00A0ECh in 3.00)       00 00 00 00 Only in 3.00, 3.00a, 3.00b : Windows message of RegisterWindowMessageA("PSSlCmd")
(1C00A0F0h in 3.00)     SZ "Slider" Only in 3.00, 3.00a, 3.00b : Class name of the sliders
(1C00A0F8h in 3.00)     SZ "Slider" Only in 3.00, 3.00a, 3.00b : Class name of the sliders
(1C00A100h in 3.00)       BD 1D 17 00 1C E8 5F FE
35 01 11 11 3E DA AA AA
36 E8 FF 7F 00 00 00 00		 Only in 3.00, 3.00a, 3.00b : ??
(1C00A118h in 3.00)       75 60 FB FF E6 05 68 00
52 AB 4F FA F3 8A AA
2A 94 2F 00 80 00 00 00 40		 Only in 3.00, 3.00a, 3.00b : ??
(1C00A130h in 3.00)       10 C9 Only in 3.00, 3.00a, 3.00b : ??
(1C00A134h in 3.00)       40 24 03 00 Only in 3.00, 3.00a, 3.00b : ??
(1C00A138h in 3.00)       20 92 01 00 Only in 3.00, 3.00a, 3.00b : ??
(1C00A13Ch in 3.00)       9A 79 82 1A Only in 3.00, 3.00a, 3.00b : ??
(1C00A140h in 3.00)       E5 0B 00 40 Only in 3.00, 3.00a, 3.00b : ??
(1C00A148h in 3.00)       C7 71 1C 07 B7 6D DB F6
CD CC CC 0C AB AA AA
EA 00 00 00 40 00 00 00 00		 Only in 3.00, 3.00a, 3.00b : ??
init data, read/write .rsrc        
PTR DS:[1C009xxxh]
(1C00Bxxxh in 3.00)		          
init data, read only .edata        
PTR DS:[1C00Fxxxh]
(1C011xxxh in 3.00)		          
init data, read/write .idata        
PTR DS:[1C0101F0h]
(1C012xxxh in 3.00)		 .idata B200h     Imports from comdlg32.dll
PTR DS:[1C0101FCh] .idata B20Ch     Imports from GDI32.dll
PTR DS:[1C010218h] .idata B228h     Imports from MSVCRT10.dll
PTR DS:[1C010238h] .idata B248h     Imports from KERNEL32.dll
PTR DS:[1C010294h] .idata B2A4h     Imports from PLUGIN.dll (not in 3.00/3.00a/3.00b)
PTR DS:[1C0102CCh] .idata B2DCh     Imports from USER32.dll
init data, read only, discardable   .reloc      
PTR DS:[1C011xxxh]
(1C013xxxh in 3.00)