As seen here:
NTOSKrnl.exe Version 6.1.7601.24545
AMD64 system
Any other information needed? I am struggling to get the even the same view he had.
All right, so the View > Sub-View > Pseudocode (F5) worked but it not nearly as readable as his and/or needs some tweaking as per:
Furthermore, pulling all the parts together requires some further knowledge of where to look (?).
01 Answer
Edit:
This article explains the solution here. I did not try it myself.
The idea was patching ntoskrnl.exe. The path consists of a basepath (looks like this: \Device\Harddisk1\Partition0) and the \hiberfil.sys. The basepath is stored statically in a variable called IoArcBootDeviceName. This variable itself is written in the function IopCreateArcNames. There it gets its value in these lines:
/* Create the global system partition name */
sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName);
RtlInitAnsiString(&ArcString, Buffer);
RtlAnsiStringToUnicodeString(&IoArcBootDeviceName, &ArcString, TRUE);For this patch you need to install IDA or an comparable disassembler. For some help on what all this does you could use the ReactOS-Reference. If your Pseudo-Code-View doesnt look like this, you should check your symbols here.
Original:
The guy in the article patched the function IopCreateArcNames. So first you need to go to this function instead.
There you need to replace this line:
sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcBootDeviceName);with
sprintf(Buffer, "\\ArcName\\%s", LoaderBlock->ArcHalDeviceName);
