1 2 3 HEADER("Pointer size"), 4 SIZE(SizeofPointer, PVOID), 5 6 HEADER("Bug Check Codes"), 7 CONSTANT(APC_INDEX_MISMATCH), 8 CONSTANT(INVALID_AFFINITY_SET), 9 CONSTANT(INVALID_DATA_ACCESS_TRAP), 10 CONSTANT(IRQL_NOT_GREATER_OR_EQUAL), 11 CONSTANT(IRQL_NOT_LESS_OR_EQUAL), // 0x0a 12 CONSTANT(NO_USER_MODE_CONTEXT), // 0x0e 13 CONSTANT(SPIN_LOCK_ALREADY_OWNED), // 0x0f 14 CONSTANT(SPIN_LOCK_NOT_OWNED), // 0x10 15 CONSTANT(THREAD_NOT_MUTEX_OWNER), // 0x11 16 CONSTANT(TRAP_CAUSE_UNKNOWN), // 0x12 17 CONSTANT(KMODE_EXCEPTION_NOT_HANDLED), // 0x1e 18 CONSTANT(KERNEL_APC_PENDING_DURING_EXIT), // 0x20 19 CONSTANT(PANIC_STACK_SWITCH), // 0x2b 20 CONSTANT(DATA_BUS_ERROR), // 0x2e 21 CONSTANT(INSTRUCTION_BUS_ERROR), // 0x2f 22 CONSTANT(SYSTEM_EXIT_OWNED_MUTEX), // 0x39 23 //CONSTANT(SYSTEM_UNWIND_PREVIOUS_USER), // 0x3a 24 //CONSTANT(SYSTEM_SERVICE_EXCEPTION), // 0x3b 25 //CONSTANT(INTERRUPT_UNWIND_ATTEMPTED), // 0x3c 26 //CONSTANT(INTERRUPT_EXCEPTION_NOT_HANDLED), // 0x3d 27 CONSTANT(PAGE_FAULT_WITH_INTERRUPTS_OFF), // 0x49 28 CONSTANT(IRQL_GT_ZERO_AT_SYSTEM_SERVICE), // 0x4a 29 CONSTANT(DATA_COHERENCY_EXCEPTION), // 0x55 30 CONSTANT(INSTRUCTION_COHERENCY_EXCEPTION), // 0x56 31 CONSTANT(HAL1_INITIALIZATION_FAILED), // 0x61 32 CONSTANT(UNEXPECTED_KERNEL_MODE_TRAP), // 0x7f 33 CONSTANT(NMI_HARDWARE_FAILURE), // 0x80 34 CONSTANT(SPIN_LOCK_INIT_FAILURE), // 0x81 35 CONSTANT(ATTEMPTED_SWITCH_FROM_DPC), // 0xb8 36 //CONSTANT(MUTEX_ALREADY_OWNED), // 0xbf 37 //CONSTANT(HARDWARE_INTERRUPT_STORM), // 0xf2 38 //CONSTANT(RECURSIVE_MACHINE_CHECK), // 0xfb 39 //CONSTANT(RECURSIVE_NMI), // 0x111 40 CONSTANT(KERNEL_SECURITY_CHECK_FAILURE), // 0x139 41 //CONSTANT(UNSUPPORTED_INSTRUCTION_MODE), // 0x151 42 //CONSTANT(BUGCHECK_CONTEXT_MODIFIER), // 0x80000000 43 //CONSTANT(INVALID_CALLBACK_STACK_ADDRESS), 44 //CONSTANT(INVALID_KERNEL_STACK_ADDRESS), 45 46 HEADER("Breakpoints"), 47 CONSTANT(BREAKPOINT_BREAK), 48 CONSTANT(BREAKPOINT_PRINT), 49 CONSTANT(BREAKPOINT_PROMPT), 50 CONSTANT(BREAKPOINT_LOAD_SYMBOLS), 51 CONSTANT(BREAKPOINT_UNLOAD_SYMBOLS), 52 CONSTANT(BREAKPOINT_COMMAND_STRING), 53 54 HEADER("Context Frame Flags"), 55 CONSTANT(CONTEXT_FULL), 56 CONSTANT(CONTEXT_CONTROL), 57 CONSTANT(CONTEXT_INTEGER), 58 CONSTANT(CONTEXT_FLOATING_POINT), 59 CONSTANT(CONTEXT_DEBUG_REGISTERS), 60 #if defined(_M_IX86) || defined(_M_AMD64) 61 CONSTANT(CONTEXT_SEGMENTS), 62 #endif 63 64 HEADER("Exception flags"), 65 CONSTANT(EXCEPTION_NONCONTINUABLE), 66 CONSTANT(EXCEPTION_UNWINDING), 67 CONSTANT(EXCEPTION_EXIT_UNWIND), 68 CONSTANT(EXCEPTION_STACK_INVALID), 69 CONSTANT(EXCEPTION_NESTED_CALL), 70 CONSTANT(EXCEPTION_TARGET_UNWIND), 71 CONSTANT(EXCEPTION_COLLIDED_UNWIND), 72 CONSTANT(EXCEPTION_UNWIND), 73 CONSTANT(EXCEPTION_EXECUTE_HANDLER), 74 CONSTANT(EXCEPTION_CONTINUE_SEARCH), 75 CONSTANT(EXCEPTION_CONTINUE_EXECUTION), 76 #ifdef _X86_ 77 CONSTANT(EXCEPTION_CHAIN_END), 78 //CONSTANT(FIXED_NTVDMSTATE_LINEAR), /// FIXME ??? 79 #endif 80 81 HEADER("Exception types"), 82 CONSTANT(ExceptionContinueExecution), 83 CONSTANT(ExceptionContinueSearch), 84 CONSTANT(ExceptionNestedException), 85 CONSTANT(ExceptionCollidedUnwind), 86 87 HEADER("Fast Fail Constants"), 88 CONSTANT(FAST_FAIL_GUARD_ICALL_CHECK_FAILURE), 89 //CONSTANT(FAST_FAIL_INVALID_BUFFER_ACCESS), 90 #ifdef _M_ASM64 91 CONSTANT(FAST_FAIL_INVALID_JUMP_BUFFER), 92 CONSTANT(FAST_FAIL_INVALID_SET_OF_CONTEXT), 93 #endif // _M_ASM64 94 //CONSTANT(FAST_FAIL_INVALID_NEXT_THREAD), 95 //CONSTANT(FAST_FAIL_INVALID_CONTROL_STACK), 96 //CONSTANT(FAST_FAIL_SET_CONTEXT_DENIED), 97 //CONSTANT(FAST_FAIL_ENCLAVE_CALL_FAILURE), 98 //CONSTANT(FAST_FAIL_GUARD_SS_FAILURE), 99 100 HEADER("Interrupt object types"), 101 CONSTANTX(InLevelSensitive, LevelSensitive), 102 CONSTANTX(InLatched, Latched), 103 104 HEADER("IPI"), 105 #ifndef _M_AMD64 106 CONSTANT(IPI_APC), 107 CONSTANT(IPI_DPC), 108 CONSTANT(IPI_FREEZE), 109 CONSTANT(IPI_PACKET_READY), 110 #endif // _M_AMD64 111 #ifdef _M_IX86 112 CONSTANT(IPI_SYNCH_REQUEST), 113 #endif // _M_IX86 114 115 HEADER("IRQL"), 116 CONSTANT(PASSIVE_LEVEL), 117 CONSTANT(APC_LEVEL), 118 CONSTANT(DISPATCH_LEVEL), 119 #ifdef _M_AMD64 120 CONSTANT(CLOCK_LEVEL), 121 #elif defined(_M_IX86) 122 CONSTANT(CLOCK1_LEVEL), 123 CONSTANT(CLOCK2_LEVEL), 124 #endif 125 CONSTANT(IPI_LEVEL), 126 CONSTANT(POWER_LEVEL), 127 CONSTANT(PROFILE_LEVEL), 128 CONSTANT(HIGH_LEVEL), 129 RAW("#ifdef NT_UP"), 130 {TYPE_CONSTANT, "SYNCH_LEVEL", DISPATCH_LEVEL}, 131 RAW("#else"), 132 {TYPE_CONSTANT, "SYNCH_LEVEL", (IPI_LEVEL - 2)}, 133 RAW("#endif"), 134 135 #if (NTDDI_VERSION >= NTDDI_WIN8) 136 HEADER("Entropy Timing Constants"), 137 CONSTANT(KENTROPY_TIMING_INTERRUPTS_PER_BUFFER), 138 CONSTANT(KENTROPY_TIMING_BUFFER_MASK), 139 CONSTANT(KENTROPY_TIMING_ANALYSIS), 140 #endif 141 142 HEADER("Lock Queue"), 143 CONSTANT(LOCK_QUEUE_WAIT), 144 CONSTANT(LOCK_QUEUE_OWNER), 145 CONSTANT(LockQueueDispatcherLock), /// FIXE: obsolete 146 147 //HEADER("Performance Definitions"), 148 //CONSTANT(PERF_CONTEXTSWAP_OFFSET), 149 //CONSTANT(PERF_CONTEXTSWAP_FLAG), 150 //CONSTANT(PERF_INTERRUPT_OFFSET), 151 //CONSTANT(PERF_INTERRUPT_FLAG), 152 //CONSTANT(PERF_SYSCALL_OFFSET), 153 //CONSTANT(PERF_SYSCALL_FLAG), 154 #ifndef _M_ARM 155 //CONSTANT(PERF_PROFILE_OFFSET), /// FIXE: obsolete 156 //CONSTANT(PERF_PROFILE_FLAG), /// FIXE: obsolete 157 //CONSTANT(PERF_SPINLOCK_OFFSET), /// FIXE: obsolete 158 //CONSTANT(PERF_SPINLOCK_FLAG), /// FIXE: obsolete 159 #endif 160 #ifdef _M_IX86 161 //CONSTANT(PERF_IPI_OFFSET), // 00008H 162 //CONSTANT(PERF_IPI_FLAG), // 0400000H 163 //CONSTANT(PERF_IPI), // 040400000H 164 #endif 165 //CONSTANT(PERF_INTERRUPT), // 020004000H//CONSTANT(NTOS_YIELD_MACRO), 166 167 HEADER("Process states"), 168 CONSTANT(ProcessInMemory), 169 CONSTANT(ProcessOutOfMemory), 170 CONSTANT(ProcessInTransition), 171 172 HEADER("Processor mode"), 173 CONSTANT(KernelMode), 174 CONSTANT(UserMode), 175 176 HEADER("Service Table Constants"), 177 CONSTANT(NUMBER_SERVICE_TABLES), 178 CONSTANT(SERVICE_NUMBER_MASK), 179 CONSTANT(SERVICE_TABLE_SHIFT), 180 CONSTANT(SERVICE_TABLE_MASK), 181 CONSTANT(SERVICE_TABLE_TEST), 182 183 HEADER("Status codes"), 184 CONSTANT(STATUS_ACCESS_VIOLATION), 185 CONSTANT(STATUS_ASSERTION_FAILURE), 186 CONSTANT(STATUS_ARRAY_BOUNDS_EXCEEDED), 187 CONSTANT(STATUS_BAD_COMPRESSION_BUFFER), 188 CONSTANT(STATUS_BREAKPOINT), 189 CONSTANT(STATUS_CALLBACK_POP_STACK), 190 CONSTANT(STATUS_DATATYPE_MISALIGNMENT), 191 CONSTANT(STATUS_FLOAT_DENORMAL_OPERAND), 192 CONSTANT(STATUS_FLOAT_DIVIDE_BY_ZERO), 193 CONSTANT(STATUS_FLOAT_INEXACT_RESULT), 194 CONSTANT(STATUS_FLOAT_INVALID_OPERATION), 195 CONSTANT(STATUS_FLOAT_OVERFLOW), 196 CONSTANT(STATUS_FLOAT_STACK_CHECK), 197 CONSTANT(STATUS_FLOAT_UNDERFLOW), 198 CONSTANT(STATUS_FLOAT_MULTIPLE_FAULTS), 199 CONSTANT(STATUS_FLOAT_MULTIPLE_TRAPS), 200 CONSTANT(STATUS_GUARD_PAGE_VIOLATION), 201 CONSTANT(STATUS_ILLEGAL_FLOAT_CONTEXT), 202 CONSTANT(STATUS_ILLEGAL_INSTRUCTION), 203 CONSTANT(STATUS_INSTRUCTION_MISALIGNMENT), 204 CONSTANT(STATUS_INVALID_HANDLE), 205 CONSTANT(STATUS_INVALID_LOCK_SEQUENCE), 206 CONSTANT(STATUS_INVALID_OWNER), 207 CONSTANT(STATUS_INVALID_PARAMETER), 208 CONSTANT(STATUS_INVALID_PARAMETER_1), 209 CONSTANT(STATUS_INVALID_SYSTEM_SERVICE), 210 //CONSTANT(STATUS_INVALID_THREAD), 211 CONSTANT(STATUS_INTEGER_DIVIDE_BY_ZERO), 212 CONSTANT(STATUS_INTEGER_OVERFLOW), 213 CONSTANT(STATUS_IN_PAGE_ERROR), 214 CONSTANT(STATUS_KERNEL_APC), 215 CONSTANT(STATUS_LONGJUMP), 216 CONSTANT(STATUS_NO_CALLBACK_ACTIVE), 217 #ifndef _M_ARM 218 CONSTANT(STATUS_NO_EVENT_PAIR), /// FIXME: obsolete 219 #endif 220 CONSTANT(STATUS_PRIVILEGED_INSTRUCTION), 221 CONSTANT(STATUS_SINGLE_STEP), 222 CONSTANT(STATUS_STACK_BUFFER_OVERRUN), 223 CONSTANT(STATUS_STACK_OVERFLOW), 224 CONSTANT(STATUS_SUCCESS), 225 CONSTANT(STATUS_THREAD_IS_TERMINATING), 226 CONSTANT(STATUS_TIMEOUT), 227 CONSTANT(STATUS_UNWIND), 228 CONSTANT(STATUS_UNWIND_CONSOLIDATE), 229 CONSTANT(STATUS_USER_APC), 230 CONSTANT(STATUS_WAKE_SYSTEM), 231 CONSTANT(STATUS_WAKE_SYSTEM_DEBUGGER), 232 //CONSTANT(STATUS_SET_CONTEXT_DENIED), 233 234 //HEADER("Thread flags"), 235 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING), 236 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING_LOCK_BIT), 237 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING_LOCK), 238 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING), 239 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING_LOCK_BIT), 240 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING_LOCK), 241 //CONSTANT(THREAD_FLAGS_CPU_THROTTLED), /// FIXME: obsolete 242 //CONSTANT(THREAD_FLAGS_CPU_THROTTLED_BIT), /// FIXME: obsolete 243 //CONSTANT(THREAD_FLAGS_ACCOUNTING_CSWITCH), 244 //CONSTANT(THREAD_FLAGS_ACCOUNTING_INTERRUPT), 245 //CONSTANT(THREAD_FLAGS_ACCOUNTING_ANY), 246 //CONSTANT(THREAD_FLAGS_GROUP_SCHEDULING), 247 //CONSTANT(THREAD_FLAGS_AFFINITY_SET), 248 #ifdef _M_IX86 249 //CONSTANT(THREAD_FLAGS_INSTRUMENTED), // 0x0040 250 //CONSTANT(THREAD_FLAGS_INSTRUMENTED_PROFILING), // 0x0041 251 #endif // _M_IX86 252 253 HEADER("TLS defines"), 254 CONSTANT(TLS_MINIMUM_AVAILABLE), 255 CONSTANT(TLS_EXPANSION_SLOTS), 256 257 HEADER("Thread states"), 258 CONSTANT(Initialized), 259 CONSTANT(Ready), 260 CONSTANT(Running), 261 CONSTANT(Standby), 262 CONSTANT(Terminated), 263 CONSTANT(Waiting), 264 #ifdef _M_ARM 265 CONSTANT(Transition), 266 CONSTANT(DeferredReady), 267 //CONSTANT(GateWaitObsolete), 268 #endif // _M_ARM 269 270 HEADER("Wait type / reason"), 271 CONSTANT(WrExecutive), 272 CONSTANT(WrMutex), /// FIXME: Obsolete 273 CONSTANT(WrDispatchInt), 274 CONSTANT(WrQuantumEnd), /// FIXME: Obsolete 275 CONSTANT(WrEventPair), /// FIXME: Obsolete 276 CONSTANT(WaitAny), 277 CONSTANT(WaitAll), 278 279 HEADER("Stack sizes"), 280 CONSTANT(KERNEL_STACK_SIZE), /// FIXME: Obsolete 281 CONSTANT(KERNEL_LARGE_STACK_SIZE), 282 CONSTANT(KERNEL_LARGE_STACK_COMMIT), 283 //CONSTANT(DOUBLE_FAULT_STACK_SIZE), 284 #ifdef _M_AMD64 285 CONSTANT(KERNEL_MCA_EXCEPTION_STACK_SIZE), 286 CONSTANT(NMI_STACK_SIZE), 287 CONSTANT(ISR_STACK_SIZE), 288 #endif 289 290 //CONSTANT(KTHREAD_AUTO_ALIGNMENT_BIT), 291 //CONSTANT(KTHREAD_GUI_THREAD_MASK), 292 //CONSTANT(KTHREAD_SYSTEM_THREAD_BIT), 293 //CONSTANT(KTHREAD_QUEUE_DEFER_PREEMPTION_BIT), 294 //CONSTANT(KTHREAD_RESTRICTED_GUI_THREAD_MASK), 295 //CONSTANT(KTHREAD_BAM_QOS_LEVEL_MASK), 296 297 HEADER("Miscellaneous Definitions"), 298 CONSTANT(TRUE), 299 CONSTANT(FALSE), 300 CONSTANT(PAGE_SIZE), 301 CONSTANT(Executive), 302 //CONSTANT(BASE_PRIORITY_THRESHOLD), 303 //CONSTANT(EVENT_PAIR_INCREMENT), /// FIXME: obsolete 304 CONSTANT(LOW_REALTIME_PRIORITY), 305 CONSTANT(CLOCK_QUANTUM_DECREMENT), 306 //CONSTANT(READY_SKIP_QUANTUM), 307 //CONSTANT(THREAD_QUANTUM), 308 CONSTANT(WAIT_QUANTUM_DECREMENT), 309 //CONSTANT(ROUND_TRIP_DECREMENT_COUNT), 310 CONSTANT(MAXIMUM_PROCESSORS), 311 CONSTANT(INITIAL_STALL_COUNT), 312 //CONSTANT(EXCEPTION_EXECUTE_FAULT), // amd64 313 //CONSTANT(KCACHE_ERRATA_MONITOR_FLAGS), // not arm 314 //CONSTANT(KI_DPC_ALL_FLAGS), 315 //CONSTANT(KI_DPC_ANY_DPC_ACTIVE), 316 //CONSTANT(KI_DPC_INTERRUPT_FLAGS), // 0x2f arm and x64 317 //CONSTANT(KI_EXCEPTION_GP_FAULT), // not i386 318 //CONSTANT(KI_EXCEPTION_INVALID_OP), // not i386 319 //CONSTANT(KI_EXCEPTION_INTEGER_DIVIDE_BY_ZERO), // amd64 320 CONSTANT(KI_EXCEPTION_ACCESS_VIOLATION), 321 //CONSTANT(KI_EXCEPTION_SECURE_FAULT), 322 //CONSTANT(KI_EXCEPTION_SEGMENT_NOT_PRESENT), 323 //CONSTANT(KINTERRUPT_STATE_DISABLED_BIT), 324 //CONSTANT(KINTERRUPT_STATE_DISABLED), 325 //CONSTANT(TARGET_FREEZE), // amd64 326 //CONSTANT(BlackHole), // FIXME: obsolete 327 CONSTANT(DBG_STATUS_CONTROL_C), 328 //CONSTANTPTR(USER_SHARED_DATA), // FIXME: we need the kernel mode address here! 329 //CONSTANT(MM_SHARED_USER_DATA_VA), 330 //CONSTANT(KERNEL_STACK_CONTROL_LARGE_STACK), // FIXME: obsolete 331 //CONSTANT(DISPATCH_LENGTH), // FIXME: obsolete 332 //CONSTANT(KI_SLIST_FAULT_COUNT_MAXIMUM), // i386 333 //CONSTANTUSER_CALLBACK_FILTER), 334 335 #if !defined(_M_ARM) && !defined(_M_ARM64) 336 CONSTANT(MAXIMUM_IDTVECTOR), 337 //CONSTANT(MAXIMUM_PRIMARY_VECTOR), 338 CONSTANT(PRIMARY_VECTOR_BASE), 339 CONSTANT(RPL_MASK), 340 CONSTANT(MODE_MASK), 341 //MODE_BIT equ 00000H amd64 342 //LDT_MASK equ 00004H amd64 343 #endif 344 345 346 /* STRUCTURE OFFSETS *********************************************************/ 347 348 //HEADER("KAFFINITY_EX"), 349 //OFFSET(AfCount, KAFFINITY_EX, Count), 350 //OFFSET(AfBitmap, KAFFINITY_EX, Bitmap), 351 //SIZE(AffinityExLength, KAFFINITY_EX), 352 353 //HEADER("Aligned Affinity"), 354 //OFFSET(AfsCpuSet, ???, CpuSet), // FIXME: obsolete 355 356 HEADER("KAPC"), 357 OFFSET(ApType, KAPC, Type), 358 OFFSET(ApSize, KAPC, Size), 359 OFFSET(ApThread, KAPC, Thread), 360 OFFSET(ApApcListEntry, KAPC, ApcListEntry), 361 OFFSET(ApKernelRoutine, KAPC, KernelRoutine), 362 OFFSET(ApRundownRoutine, KAPC, RundownRoutine), 363 OFFSET(ApNormalRoutine, KAPC, NormalRoutine), 364 OFFSET(ApNormalContext, KAPC, NormalContext), 365 OFFSET(ApSystemArgument1, KAPC, SystemArgument1), 366 OFFSET(ApSystemArgument2, KAPC, SystemArgument2), 367 OFFSET(ApApcStateIndex, KAPC, ApcStateIndex), 368 OFFSET(ApApcMode, KAPC, ApcMode), 369 OFFSET(ApInserted, KAPC, Inserted), 370 SIZE(ApcObjectLength, KAPC), 371 372 HEADER("KAPC offsets (relative to NormalRoutine)"), 373 RELOFFSET(ArNormalRoutine, KAPC, NormalRoutine, NormalRoutine), 374 RELOFFSET(ArNormalContext, KAPC, NormalContext, NormalRoutine), 375 RELOFFSET(ArSystemArgument1, KAPC, SystemArgument1, NormalRoutine), 376 RELOFFSET(ArSystemArgument2, KAPC, SystemArgument2, NormalRoutine), 377 CONSTANTX(ApcRecordLength, 4 * sizeof(PVOID)), 378 379 HEADER("KAPC_STATE"), 380 OFFSET(AsApcListHead, KAPC_STATE, ApcListHead), 381 OFFSET(AsProcess, KAPC_STATE, Process), 382 OFFSET(AsKernelApcInProgress, KAPC_STATE, KernelApcInProgress), // FIXME: obsolete 383 OFFSET(AsKernelApcPending, KAPC_STATE, KernelApcPending), 384 OFFSET(AsUserApcPending, KAPC_STATE, UserApcPending), 385 386 HEADER("CLIENT_ID"), 387 OFFSET(CidUniqueProcess, CLIENT_ID, UniqueProcess), 388 OFFSET(CidUniqueThread, CLIENT_ID, UniqueThread), 389 390 HEADER("RTL_CRITICAL_SECTION"), // No longer in Win 10 amd64 391 OFFSET(CsDebugInfo, RTL_CRITICAL_SECTION, DebugInfo), 392 OFFSET(CsLockCount, RTL_CRITICAL_SECTION, LockCount), 393 OFFSET(CsRecursionCount, RTL_CRITICAL_SECTION, RecursionCount), 394 OFFSET(CsOwningThread, RTL_CRITICAL_SECTION, OwningThread), 395 OFFSET(CsLockSemaphore, RTL_CRITICAL_SECTION, LockSemaphore), 396 OFFSET(CsSpinCount, RTL_CRITICAL_SECTION, SpinCount), 397 398 HEADER("RTL_CRITICAL_SECTION_DEBUG"), // No longer in Win 10 amd64 399 OFFSET(CsType, RTL_CRITICAL_SECTION_DEBUG, Type), 400 OFFSET(CsCreatorBackTraceIndex, RTL_CRITICAL_SECTION_DEBUG, CreatorBackTraceIndex), 401 OFFSET(CsCriticalSection, RTL_CRITICAL_SECTION_DEBUG, CriticalSection), 402 OFFSET(CsProcessLocksList, RTL_CRITICAL_SECTION_DEBUG, ProcessLocksList), 403 OFFSET(CsEntryCount, RTL_CRITICAL_SECTION_DEBUG, EntryCount), 404 OFFSET(CsContentionCount, RTL_CRITICAL_SECTION_DEBUG, ContentionCount), 405 406 HEADER("KDEVICE_QUEUE_ENTRY"), 407 OFFSET(DeDeviceListEntry, KDEVICE_QUEUE_ENTRY, DeviceListEntry), 408 OFFSET(DeSortKey, KDEVICE_QUEUE_ENTRY, SortKey), 409 OFFSET(DeInserted, KDEVICE_QUEUE_ENTRY, Inserted), 410 SIZE(DeviceQueueEntryLength, KDEVICE_QUEUE_ENTRY), 411 412 HEADER("KDPC"), 413 OFFSET(DpType, KDPC, Type), 414 OFFSET(DpImportance, KDPC, Importance), 415 OFFSET(DpNumber, KDPC, Number), 416 OFFSET(DpDpcListEntry, KDPC, DpcListEntry), 417 OFFSET(DpDeferredRoutine, KDPC, DeferredRoutine), 418 OFFSET(DpDeferredContext, KDPC, DeferredContext), 419 OFFSET(DpSystemArgument1, KDPC, SystemArgument1), 420 OFFSET(DpSystemArgument2, KDPC, SystemArgument2), 421 OFFSET(DpDpcData, KDPC, DpcData), 422 SIZE(DpcObjectLength, KDPC), 423 424 HEADER("KDEVICE_QUEUE"), 425 OFFSET(DvType, KDEVICE_QUEUE, Type), 426 OFFSET(DvSize, KDEVICE_QUEUE, Size), 427 OFFSET(DvDeviceListHead, KDEVICE_QUEUE, DeviceListHead), 428 OFFSET(DvSpinLock, KDEVICE_QUEUE, Lock), 429 OFFSET(DvBusy, KDEVICE_QUEUE, Busy), 430 SIZE(DeviceQueueObjectLength, KDEVICE_QUEUE), 431 432 HEADER("EXCEPTION_RECORD"), 433 OFFSET(ErExceptionCode, EXCEPTION_RECORD, ExceptionCode), 434 OFFSET(ErExceptionFlags, EXCEPTION_RECORD, ExceptionFlags), 435 OFFSET(ErExceptionRecord, EXCEPTION_RECORD, ExceptionRecord), 436 OFFSET(ErExceptionAddress, EXCEPTION_RECORD, ExceptionAddress), 437 OFFSET(ErNumberParameters, EXCEPTION_RECORD, NumberParameters), 438 OFFSET(ErExceptionInformation, EXCEPTION_RECORD, ExceptionInformation), 439 SIZE(ExceptionRecordLength, EXCEPTION_RECORD), 440 SIZE(EXCEPTION_RECORD_LENGTH, EXCEPTION_RECORD), // not 1386 441 442 HEADER("EPROCESS"), 443 OFFSET(EpDebugPort, EPROCESS, DebugPort), 444 #if defined(_M_IX86) 445 OFFSET(EpVdmObjects, EPROCESS, VdmObjects), 446 #elif defined(_M_AMD64) 447 OFFSET(EpWow64Process, EPROCESS, Wow64Process), 448 #endif 449 SIZE(ExecutiveProcessObjectLength, EPROCESS), 450 451 HEADER("ETHREAD offsets"), 452 OFFSET(EtCid, ETHREAD, Cid), // 0x364 453 //OFFSET(EtPicoContext, ETHREAD, PicoContext), 454 SIZE(ExecutiveThreadObjectLength, ETHREAD), // 0x418 455 456 HEADER("KEVENT"), 457 OFFSET(EvType, KEVENT, Header.Type), 458 OFFSET(EvSize, KEVENT, Header.Size), 459 OFFSET(EvSignalState, KEVENT, Header.SignalState), 460 OFFSET(EvWaitListHead, KEVENT, Header.WaitListHead), 461 SIZE(EventObjectLength, KEVENT), 462 463 HEADER("FIBER"), 464 OFFSET(FbFiberData, FIBER, FiberData), 465 OFFSET(FbExceptionList, FIBER, ExceptionList), 466 OFFSET(FbStackBase, FIBER, StackBase), 467 OFFSET(FbStackLimit, FIBER, StackLimit), 468 OFFSET(FbDeallocationStack, FIBER, DeallocationStack), 469 OFFSET(FbFiberContext, FIBER, FiberContext), 470 //OFFSET(FbWx86Tib, FIBER, Wx86Tib), 471 //OFFSET(FbActivationContextStackPointer, FIBER, ActivationContextStackPointer), 472 OFFSET(FbFlsData, FIBER, FlsData), 473 OFFSET(FbGuaranteedStackBytes, FIBER, GuaranteedStackBytes), 474 //OFFSET(FbTebFlags, FIBER, TebFlags), 475 476 HEADER("FAST_MUTEX"), 477 OFFSET(FmCount, FAST_MUTEX, Count), 478 OFFSET(FmOwner, FAST_MUTEX, Owner), 479 OFFSET(FmContention, FAST_MUTEX, Contention), 480 //OFFSET(FmGate, FAST_MUTEX, Gate), // obsolete 481 OFFSET(FmOldIrql, FAST_MUTEX, OldIrql), 482 483 #ifndef _M_ARM 484 HEADER("GETSETCONTEXT offsets"), // GET_SET_CTX_CONTEXT 485 OFFSET(GetSetCtxContextPtr, GETSETCONTEXT, Context), 486 #endif // _M_ARM 487 488 HEADER("KINTERRUPT"), 489 OFFSET(InType, KINTERRUPT, Type), 490 OFFSET(InSize, KINTERRUPT, Size), 491 OFFSET(InInterruptListEntry, KINTERRUPT, InterruptListEntry), 492 OFFSET(InServiceRoutine, KINTERRUPT, ServiceRoutine), 493 OFFSET(InServiceContext, KINTERRUPT, ServiceContext), 494 OFFSET(InSpinLock, KINTERRUPT, SpinLock), 495 OFFSET(InTickCount, KINTERRUPT, TickCount), 496 OFFSET(InActualLock, KINTERRUPT, ActualLock), 497 OFFSET(InDispatchAddress, KINTERRUPT, DispatchAddress), 498 OFFSET(InVector, KINTERRUPT, Vector), 499 OFFSET(InIrql, KINTERRUPT, Irql), 500 OFFSET(InSynchronizeIrql, KINTERRUPT, SynchronizeIrql), 501 OFFSET(InFloatingSave, KINTERRUPT, FloatingSave), 502 OFFSET(InConnected, KINTERRUPT, Connected), 503 OFFSET(InNumber, KINTERRUPT, Number), 504 OFFSET(InShareVector, KINTERRUPT, ShareVector), 505 //OFFSET(InInternalState, KINTERRUPT, InternalState), 506 OFFSET(InMode, KINTERRUPT, Mode), 507 OFFSET(InServiceCount, KINTERRUPT, ServiceCount), 508 OFFSET(InDispatchCount, KINTERRUPT, DispatchCount), 509 //OFFSET(InTrapFrame, KINTERRUPT, TrapFrame), // amd64 510 OFFSET(InDispatchCode, KINTERRUPT, DispatchCode), // obsolete 511 SIZE(InterruptObjectLength, KINTERRUPT), 512 513 #ifdef _M_AMD64 514 HEADER("IO_STATUS_BLOCK"), 515 OFFSET(IoStatus, IO_STATUS_BLOCK, Status), 516 OFFSET(IoPointer, IO_STATUS_BLOCK, Pointer), 517 OFFSET(IoInformation, IO_STATUS_BLOCK, Information), 518 #endif /* _M_AMD64 */ 519 520 #if (NTDDI_VERSION >= NTDDI_WIN8) 521 HEADER("KSTACK_CONTROL"), 522 OFFSET(KcCurrentBase, KSTACK_CONTROL, StackBase), 523 OFFSET(KcActualLimit, KSTACK_CONTROL, ActualLimit), 524 OFFSET(KcPreviousBase, KSTACK_CONTROL, Previous.StackBase), 525 OFFSET(KcPreviousLimit, KSTACK_CONTROL, Previous.StackLimit), 526 OFFSET(KcPreviousKernel, KSTACK_CONTROL, Previous.KernelStack), 527 OFFSET(KcPreviousInitial, KSTACK_CONTROL, Previous.InitialStack), 528 #ifdef _IX86 529 OFFSET(KcTrapFrame, KSTACK_CONTROL, PreviousTrapFrame), 530 OFFSET(KcExceptionList, KSTACK_CONTROL, PreviousExceptionList), 531 #endif // _IX86 532 SIZE(KSTACK_CONTROL_LENGTH, KSTACK_CONTROL), 533 CONSTANT(KSTACK_ACTUAL_LIMIT_EXPANDED), // move somewhere else? 534 #else 535 //HEADER("KERNEL_STACK_CONTROL"), // obsolete 536 #endif 537 538 #if 0 // no longer in win 10, different struct 539 HEADER("KNODE"), 540 //OFFSET(KnRight, KNODE, Right), 541 //OFFSET(KnLeft, KNODE, Left), 542 OFFSET(KnPfnDereferenceSListHead, KNODE, PfnDereferenceSListHead), 543 OFFSET(KnProcessorMask, KNODE, ProcessorMask), 544 OFFSET(KnColor, KNODE, Color), 545 OFFSET(KnSeed, KNODE, Seed), 546 OFFSET(KnNodeNumber, KNODE, NodeNumber), 547 OFFSET(KnFlags, KNODE, Flags), 548 OFFSET(KnMmShiftedColor, KNODE, MmShiftedColor), 549 OFFSET(KnFreeCount, KNODE, FreeCount), 550 OFFSET(KnPfnDeferredList, KNODE, PfnDeferredList), 551 SIZE(KNODE_SIZE, KNODE), 552 #endif 553 554 HEADER("KSPIN_LOCK_QUEUE"), 555 OFFSET(LqNext, KSPIN_LOCK_QUEUE, Next), 556 OFFSET(LqLock, KSPIN_LOCK_QUEUE, Lock), 557 SIZE(LOCK_QUEUE_HEADER_SIZE, KSPIN_LOCK_QUEUE), 558 559 HEADER("KLOCK_QUEUE_HANDLE"), 560 OFFSET(LqhLockQueue, KLOCK_QUEUE_HANDLE, LockQueue), 561 OFFSET(LqhNext, KLOCK_QUEUE_HANDLE, LockQueue.Next), 562 OFFSET(LqhLock, KLOCK_QUEUE_HANDLE, LockQueue.Lock), 563 OFFSET(LqhOldIrql, KLOCK_QUEUE_HANDLE, OldIrql), 564 565 HEADER("LARGE_INTEGER"), 566 OFFSET(LiLowPart, LARGE_INTEGER, LowPart), 567 OFFSET(LiHighPart, LARGE_INTEGER, HighPart), 568 569 HEADER("LOADER_PARAMETER_BLOCK (rel. to LoadOrderListHead)"), 570 RELOFFSET(LpbKernelStack, LOADER_PARAMETER_BLOCK, KernelStack, LoadOrderListHead), 571 RELOFFSET(LpbPrcb, LOADER_PARAMETER_BLOCK, Prcb, LoadOrderListHead), 572 RELOFFSET(LpbProcess, LOADER_PARAMETER_BLOCK, Process, LoadOrderListHead), 573 RELOFFSET(LpbThread, LOADER_PARAMETER_BLOCK, Thread, LoadOrderListHead), 574 575 HEADER("LIST_ENTRY"), 576 OFFSET(LsFlink, LIST_ENTRY, Flink), 577 OFFSET(LsBlink, LIST_ENTRY, Blink), 578 579 HEADER("PEB"), 580 OFFSET(PeBeingDebugged, PEB, BeingDebugged), 581 OFFSET(PeProcessParameters, PEB, ProcessParameters), 582 OFFSET(PeKernelCallbackTable, PEB, KernelCallbackTable), 583 SIZE(ProcessEnvironmentBlockLength, PEB), 584 585 HEADER("KPROFILE"), 586 OFFSET(PfType, KPROFILE, Type), 587 OFFSET(PfSize, KPROFILE, Size), 588 OFFSET(PfProfileListEntry, KPROFILE, ProfileListEntry), 589 OFFSET(PfProcess, KPROFILE, Process), 590 OFFSET(PfRangeBase, KPROFILE, RangeBase), 591 OFFSET(PfRangeLimit, KPROFILE, RangeLimit), 592 OFFSET(PfBucketShift, KPROFILE, BucketShift), 593 OFFSET(PfBuffer, KPROFILE, Buffer), 594 OFFSET(PfSegment, KPROFILE, Segment), 595 OFFSET(PfAffinity, KPROFILE, Affinity), 596 OFFSET(PfSource, KPROFILE, Source), 597 OFFSET(PfStarted, KPROFILE, Started), 598 SIZE(ProfileObjectLength, KPROFILE), 599 600 HEADER("PORT_MESSAGE"), // whole thing obsolete in win10 601 OFFSET(PmLength, PORT_MESSAGE, u1.Length), 602 OFFSET(PmZeroInit, PORT_MESSAGE, u2.ZeroInit), 603 OFFSET(PmClientId, PORT_MESSAGE, ClientId), 604 OFFSET(PmProcess, PORT_MESSAGE, ClientId.UniqueProcess), 605 OFFSET(PmThread, PORT_MESSAGE, ClientId.UniqueThread), 606 OFFSET(PmMessageId, PORT_MESSAGE, MessageId), 607 OFFSET(PmClientViewSize, PORT_MESSAGE, ClientViewSize), 608 SIZE(PortMessageLength, PORT_MESSAGE), 609 610 HEADER("KPROCESS"), 611 OFFSET(PrType, KPROCESS, Header.Type), 612 OFFSET(PrSize, KPROCESS, Header.Size), 613 OFFSET(PrSignalState, KPROCESS, Header.SignalState), 614 OFFSET(PrProfileListHead, KPROCESS, ProfileListHead), 615 OFFSET(PrDirectoryTableBase, KPROCESS, DirectoryTableBase), 616 #ifdef _M_ARM 617 //OFFSET(PrPageDirectory, KPROCESS, PageDirectory), 618 #elif defined(_M_IX86) 619 OFFSET(PrLdtDescriptor, KPROCESS, LdtDescriptor), 620 OFFSET(PrInt21Descriptor, KPROCESS, Int21Descriptor), 621 #endif 622 OFFSET(PrThreadListHead, KPROCESS, ThreadListHead), 623 OFFSET(PrAffinity, KPROCESS, Affinity), 624 OFFSET(PrReadyListHead, KPROCESS, ReadyListHead), 625 OFFSET(PrSwapListEntry, KPROCESS, SwapListEntry), 626 OFFSET(PrActiveProcessors, KPROCESS, ActiveProcessors), 627 OFFSET(PrProcessFlags, KPROCESS, ProcessFlags), 628 OFFSET(PrBasePriority, KPROCESS, BasePriority), 629 OFFSET(PrQuantumReset, KPROCESS, QuantumReset), 630 #if defined(_M_IX86) 631 OFFSET(PrIopmOffset, KPROCESS, IopmOffset), 632 #endif 633 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 634 OFFSET(PrCycleTime, KPROCESS, CycleTime), 635 #endif 636 OFFSET(PrKernelTime, KPROCESS, KernelTime), 637 OFFSET(PrUserTime, KPROCESS, UserTime), 638 #if defined(_M_AMD64) || defined(_M_ARM) 639 //OFFSET(PrInstrumentationCallback, KPROCESS, InstrumentationCallback), 640 #elif defined(_M_IX86) 641 OFFSET(PrVdmTrapcHandler, KPROCESS, VdmTrapcHandler), 642 //OFFSET(PrVdmObjects, KPROCESS, VdmObjects), 643 OFFSET(PrFlags, KPROCESS, Flags), 644 #endif 645 SIZE(KernelProcessObjectLength, KPROCESS), 646 647 HEADER("KQUEUE"), 648 OFFSET(QuType, KQUEUE, Header.Type), // not in win10 649 OFFSET(QuSize, KQUEUE, Header.Size), // not in win10 650 OFFSET(QuSignalState, KQUEUE, Header.SignalState), 651 OFFSET(QuEntryListHead, KQUEUE, EntryListHead), 652 OFFSET(QuCurrentCount, KQUEUE, CurrentCount), 653 OFFSET(QuMaximumCount, KQUEUE, MaximumCount), 654 OFFSET(QuThreadListHead, KQUEUE, ThreadListHead), 655 SIZE(QueueObjectLength, KQUEUE), 656 657 HEADER("KSERVICE_TABLE_DESCRIPTOR offsets"), 658 OFFSET(SdBase, KSERVICE_TABLE_DESCRIPTOR, Base), 659 OFFSET(SdCount, KSERVICE_TABLE_DESCRIPTOR, Count), // not in win10 660 OFFSET(SdLimit, KSERVICE_TABLE_DESCRIPTOR, Limit), 661 OFFSET(SdNumber, KSERVICE_TABLE_DESCRIPTOR, Number), 662 SIZE(SdLength, KSERVICE_TABLE_DESCRIPTOR), 663 664 HEADER("STRING"), 665 OFFSET(StrLength, STRING, Length), 666 OFFSET(StrMaximumLength, STRING, MaximumLength), 667 OFFSET(StrBuffer, STRING, Buffer), 668 669 HEADER("TEB"), 670 #if defined(_M_IX86) 671 OFFSET(TeExceptionList, TEB, NtTib.ExceptionList), 672 #elif defined(_M_AMD64) 673 OFFSET(TeCmTeb, TEB, NtTib), 674 #endif 675 OFFSET(TeStackBase, TEB, NtTib.StackBase), 676 OFFSET(TeStackLimit, TEB, NtTib.StackLimit), 677 OFFSET(TeFiberData, TEB, NtTib.FiberData), 678 OFFSET(TeSelf, TEB, NtTib.Self), 679 OFFSET(TeEnvironmentPointer, TEB, EnvironmentPointer), 680 OFFSET(TeClientId, TEB, ClientId), 681 OFFSET(TeActiveRpcHandle, TEB, ActiveRpcHandle), 682 OFFSET(TeThreadLocalStoragePointer, TEB, ThreadLocalStoragePointer), 683 OFFSET(TePeb, TEB, ProcessEnvironmentBlock), 684 OFFSET(TeLastErrorValue, TEB, LastErrorValue), 685 OFFSET(TeCountOfOwnedCriticalSections, TEB, CountOfOwnedCriticalSections), 686 OFFSET(TeCsrClientThread, TEB, CsrClientThread), 687 OFFSET(TeWOW32Reserved, TEB, WOW32Reserved), 688 //OFFSET(TeSoftFpcr, TEB, SoftFpcr), 689 OFFSET(TeExceptionCode, TEB, ExceptionCode), 690 OFFSET(TeActivationContextStackPointer, TEB, ActivationContextStackPointer), 691 //#if (NTDDI_VERSION >= NTDDI_WIN10) 692 //OFFSET(TeInstrumentationCallbackSp, TEB, InstrumentationCallbackSp), 693 //OFFSET(TeInstrumentationCallbackPreviousPc, TEB, InstrumentationCallbackPreviousPc), 694 //OFFSET(TeInstrumentationCallbackPreviousSp, TEB, InstrumentationCallbackPreviousSp), 695 //#endif 696 OFFSET(TeGdiClientPID, TEB, GdiClientPID), 697 OFFSET(TeGdiClientTID, TEB, GdiClientTID), 698 OFFSET(TeGdiThreadLocalInfo, TEB, GdiThreadLocalInfo), 699 OFFSET(TeglDispatchTable, TEB, glDispatchTable), 700 OFFSET(TeglReserved1, TEB, glReserved1), 701 OFFSET(TeglReserved2, TEB, glReserved2), 702 OFFSET(TeglSectionInfo, TEB, glSectionInfo), 703 OFFSET(TeglSection, TEB, glSection), 704 OFFSET(TeglTable, TEB, glTable), 705 OFFSET(TeglCurrentRC, TEB, glCurrentRC), 706 OFFSET(TeglContext, TEB, glContext), 707 OFFSET(TeDeallocationStack, TEB, DeallocationStack), 708 OFFSET(TeTlsSlots, TEB, TlsSlots), 709 OFFSET(TeVdm, TEB, Vdm), 710 OFFSET(TeInstrumentation, TEB, Instrumentation), 711 OFFSET(TeGdiBatchCount, TEB, GdiBatchCount), 712 OFFSET(TeGuaranteedStackBytes, TEB, GuaranteedStackBytes), 713 OFFSET(TeTlsExpansionSlots, TEB, TlsExpansionSlots), 714 OFFSET(TeFlsData, TEB, FlsData), 715 SIZE(ThreadEnvironmentBlockLength, TEB), 716 717 HEADER("TIME_FIELDS"), 718 OFFSET(TfYear, TIME_FIELDS, Year), 719 OFFSET(TfMonth, TIME_FIELDS, Month), 720 OFFSET(TfDay, TIME_FIELDS, Day), 721 OFFSET(TfHour, TIME_FIELDS, Hour), 722 OFFSET(TfMinute, TIME_FIELDS, Minute), 723 OFFSET(TfSecond, TIME_FIELDS, Second), 724 OFFSET(TfMilliseconds, TIME_FIELDS, Milliseconds), 725 OFFSET(TfWeekday, TIME_FIELDS, Weekday), 726 727 HEADER("KTHREAD"), 728 OFFSET(ThType, KTHREAD, Header.Type), 729 OFFSET(ThLock, KTHREAD, Header.Lock), 730 OFFSET(ThSize, KTHREAD, Header.Size), 731 OFFSET(ThThreadControlFlags, KTHREAD, Header.ThreadControlFlags), 732 OFFSET(ThDebugActive, KTHREAD, Header.DebugActive), 733 OFFSET(ThSignalState, KTHREAD, Header.SignalState), 734 OFFSET(ThInitialStack, KTHREAD, InitialStack), 735 OFFSET(ThStackLimit, KTHREAD, StackLimit), 736 OFFSET(ThStackBase, KTHREAD, StackBase), 737 OFFSET(ThThreadLock, KTHREAD, ThreadLock), 738 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 739 OFFSET(ThCycleTime, KTHREAD, CycleTime), 740 #if defined(_M_IX86) 741 OFFSET(ThHighCycleTime, KTHREAD, HighCycleTime), 742 #endif 743 #endif /* (NTDDI_VERSION >= NTDDI_LONGHORN) */ 744 #if defined(_M_IX86) 745 OFFSET(ThServiceTable, KTHREAD, ServiceTable), 746 #endif 747 //OFFSET(ThCurrentRunTime, KTHREAD, CurrentRunTime), 748 //OFFSET(ThStateSaveArea, KTHREAD, StateSaveArea), // 0x3C not arm 749 OFFSET(ThKernelStack, KTHREAD, KernelStack), 750 #if (NTDDI_VERSION >= NTDDI_WIN7) 751 OFFSET(ThRunning, KTHREAD, Running), 752 #endif /* (NTDDI_VERSION >= NTDDI_WIN7) */ 753 OFFSET(ThAlerted, KTHREAD, Alerted), 754 #if (NTDDI_VERSION >= NTDDI_WIN7) 755 OFFSET(ThMiscFlags, KTHREAD, MiscFlags), 756 #endif /* (NTDDI_VERSION >= NTDDI_WIN7) */ 757 OFFSET(ThThreadFlags, KTHREAD, ThreadFlags), 758 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 759 OFFSET(ThSystemCallNumber, KTHREAD, SystemCallNumber), 760 #endif /* (NTDDI_VERSION >= NTDDI_LONGHORN) */ 761 //OFFSET(ThFirstArgument, KTHREAD, FirstArgument), 762 OFFSET(ThTrapFrame, KTHREAD, TrapFrame), 763 OFFSET(ThApcState, KTHREAD, ApcState), 764 OFFSET(ThPriority, KTHREAD, Priority), // obsolete 765 OFFSET(ThSwapBusy, KTHREAD, SwapBusy), 766 OFFSET(ThContextSwitches, KTHREAD, ContextSwitches), 767 OFFSET(ThState, KTHREAD, State), 768 OFFSET(ThProcess, KTHREAD, Process), // thProcess in native headers 769 OFFSET(ThNpxState, KTHREAD, NpxState), 770 OFFSET(ThWaitIrql, KTHREAD, WaitIrql), 771 OFFSET(ThWaitMode, KTHREAD, WaitMode), // obsolete 772 OFFSET(ThTeb, KTHREAD, Teb), 773 OFFSET(ThTimer, KTHREAD, Timer), 774 OFFSET(ThWin32Thread, KTHREAD, Win32Thread), 775 OFFSET(ThWaitTime, KTHREAD, WaitTime), 776 OFFSET(ThCombinedApcDisable, KTHREAD, CombinedApcDisable), 777 OFFSET(ThKernelApcDisable, KTHREAD, KernelApcDisable), 778 OFFSET(ThSpecialApcDisable, KTHREAD, SpecialApcDisable), 779 #if defined(_M_ARM) 780 //OFFSET(ThVfpState, KTHREAD, VfpState), 781 #endif 782 OFFSET(ThNextProcessor, KTHREAD, NextProcessor), 783 //OFFSET(ThProcess, KTHREAD, Process), 784 OFFSET(ThPreviousMode, KTHREAD, PreviousMode), 785 OFFSET(ThPriorityDecrement, KTHREAD, PriorityDecrement), // obsolete 786 OFFSET(ThAdjustReason, KTHREAD, AdjustReason), 787 OFFSET(ThAdjustIncrement, KTHREAD, AdjustIncrement), 788 OFFSET(ThAffinity, KTHREAD, Affinity), // obsolete 789 OFFSET(ThApcStateIndex, KTHREAD, ApcStateIndex), 790 OFFSET(ThIdealProcessor, KTHREAD, IdealProcessor), // obsolete 791 OFFSET(ThApcStatePointer, KTHREAD, ApcStatePointer), // obsolete 792 OFFSET(ThSavedApcState, KTHREAD, SavedApcState), // obsolete 793 OFFSET(ThWaitReason, KTHREAD, WaitReason), 794 OFFSET(ThSaturation, KTHREAD, Saturation), // obsolete 795 OFFSET(ThLegoData, KTHREAD, LegoData), 796 //#if defined(_M_ARM) && (NTDDI_VERSION >= NTDDI_WIN10) 797 //OFFSET(ThUserRoBase, KTHREAD, UserRoBase), 798 //OFFSET(ThUserRwBase, KTHREAD, UserRwBase), 799 //#endif 800 #ifdef _M_IX86 801 //OFFSET(ThSListFaultCount, KTHREAD, SListFaultCount), // 0x18E 802 //OFFSET(ThSListFaultAddress, KTHREAD, ListFaultAddress), // 0x10 803 #endif // _M_IX86 804 #if defined(_M_IX86) || defined(_M_AMD64) 805 //OFFSET(ThUserFsBase, KTHREAD, UserFsBase), // 0x434 806 //OFFSET(ThUserGsBase, KTHREAD, GsBase), // 0x438 807 #endif // defined 808 SIZE(KernelThreadObjectLength, KTHREAD), 809 810 HEADER("ETHREAD"), 811 //OFFSET(ThSetContextState, ETHREAD, SetContextState), 812 813 HEADER("KTIMER"), 814 OFFSET(TiType, KTIMER, Header.Type), 815 OFFSET(TiSize, KTIMER, Header.Size), 816 #if (NTDDI_VERSION < NTDDI_WIN7) 817 OFFSET(TiInserted, KTIMER, Header.Inserted), 818 #endif 819 OFFSET(TiSignalState, KTIMER, Header.SignalState), 820 OFFSET(TiDueTime, KTIMER, DueTime), 821 OFFSET(TiTimerListEntry, KTIMER, TimerListEntry), 822 OFFSET(TiDpc, KTIMER, Dpc), 823 OFFSET(TiPeriod, KTIMER, Period), 824 SIZE(TimerObjectLength, KTIMER), 825 826 HEADER("TIME"), 827 OFFSET(TmLowTime, TIME, LowTime), 828 OFFSET(TmHighTime, TIME, HighTime), 829 830 HEADER("SYSTEM_CONTEXT_SWITCH_INFORMATION (relative to FindAny)"), 831 RELOFFSET(TwFindAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindAny, FindAny), 832 RELOFFSET(TwFindIdeal, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindIdeal, FindAny), 833 RELOFFSET(TwFindLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindLast, FindAny), 834 RELOFFSET(TwIdleAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleAny, FindAny), 835 RELOFFSET(TwIdleCurrent, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleCurrent, FindAny), 836 RELOFFSET(TwIdleIdeal, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleIdeal, FindAny), 837 RELOFFSET(TwIdleLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleLast, FindAny), 838 RELOFFSET(TwPreemptAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptAny, FindAny), 839 RELOFFSET(TwPreemptCurrent, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptCurrent, FindAny), 840 RELOFFSET(TwPreemptLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptLast, FindAny), 841 RELOFFSET(TwSwitchToIdle, SYSTEM_CONTEXT_SWITCH_INFORMATION, SwitchToIdle, FindAny), 842 843 HEADER("KUSER_SHARED_DATA"), 844 OFFSET(UsTickCountMultiplier, KUSER_SHARED_DATA, TickCountMultiplier), // 0x4 845 OFFSET(UsInterruptTime, KUSER_SHARED_DATA, InterruptTime), // 0x8 846 OFFSET(UsSystemTime, KUSER_SHARED_DATA, SystemTime), // 0x14 847 OFFSET(UsTimeZoneBias, KUSER_SHARED_DATA, TimeZoneBias), // 0x20 848 OFFSET(UsImageNumberLow, KUSER_SHARED_DATA, ImageNumberLow), 849 OFFSET(UsImageNumberHigh, KUSER_SHARED_DATA, ImageNumberHigh), 850 OFFSET(UsNtSystemRoot, KUSER_SHARED_DATA, NtSystemRoot), 851 OFFSET(UsMaxStackTraceDepth, KUSER_SHARED_DATA, MaxStackTraceDepth), 852 OFFSET(UsCryptoExponent, KUSER_SHARED_DATA, CryptoExponent), 853 OFFSET(UsTimeZoneId, KUSER_SHARED_DATA, TimeZoneId), 854 OFFSET(UsLargePageMinimum, KUSER_SHARED_DATA, LargePageMinimum), 855 //#if (NTDDI_VERSION >= NTDDI_WIN10) 856 //OFFSET(UsNtBuildNumber, KUSER_SHARED_DATA, NtBuildNumber), 857 //#else 858 OFFSET(UsReserved2, KUSER_SHARED_DATA, Reserved2), 859 //#endif 860 OFFSET(UsNtProductType, KUSER_SHARED_DATA, NtProductType), 861 OFFSET(UsProductTypeIsValid, KUSER_SHARED_DATA, ProductTypeIsValid), 862 OFFSET(UsNtMajorVersion, KUSER_SHARED_DATA, NtMajorVersion), 863 OFFSET(UsNtMinorVersion, KUSER_SHARED_DATA, NtMinorVersion), 864 OFFSET(UsProcessorFeatures, KUSER_SHARED_DATA, ProcessorFeatures), 865 OFFSET(UsReserved1, KUSER_SHARED_DATA, Reserved1), 866 OFFSET(UsReserved3, KUSER_SHARED_DATA, Reserved3), 867 OFFSET(UsTimeSlip, KUSER_SHARED_DATA, TimeSlip), 868 OFFSET(UsAlternativeArchitecture, KUSER_SHARED_DATA, AlternativeArchitecture), 869 OFFSET(UsSystemExpirationDate, KUSER_SHARED_DATA, SystemExpirationDate), // not arm 870 OFFSET(UsSuiteMask, KUSER_SHARED_DATA, SuiteMask), 871 OFFSET(UsKdDebuggerEnabled, KUSER_SHARED_DATA, KdDebuggerEnabled), 872 OFFSET(UsActiveConsoleId, KUSER_SHARED_DATA, ActiveConsoleId), 873 OFFSET(UsDismountCount, KUSER_SHARED_DATA, DismountCount), 874 OFFSET(UsComPlusPackage, KUSER_SHARED_DATA, ComPlusPackage), 875 OFFSET(UsLastSystemRITEventTickCount, KUSER_SHARED_DATA, LastSystemRITEventTickCount), 876 OFFSET(UsNumberOfPhysicalPages, KUSER_SHARED_DATA, NumberOfPhysicalPages), 877 OFFSET(UsSafeBootMode, KUSER_SHARED_DATA, SafeBootMode), 878 OFFSET(UsTestRetInstruction, KUSER_SHARED_DATA, TestRetInstruction), 879 OFFSET(UsSystemCall, KUSER_SHARED_DATA, SystemCall), // not in win10 880 OFFSET(UsSystemCallReturn, KUSER_SHARED_DATA, SystemCallReturn), // not in win10 881 OFFSET(UsSystemCallPad, KUSER_SHARED_DATA, SystemCallPad), 882 OFFSET(UsTickCount, KUSER_SHARED_DATA, TickCount), 883 OFFSET(UsTickCountQuad, KUSER_SHARED_DATA, TickCountQuad), 884 OFFSET(UsWow64SharedInformation, KUSER_SHARED_DATA, Wow64SharedInformation), // not in win10 885 //OFFSET(UsXState, KUSER_SHARED_DATA, XState), // win 10 886 887 HEADER("KWAIT_BLOCK offsets"), 888 OFFSET(WbWaitListEntry, KWAIT_BLOCK, WaitListEntry), 889 OFFSET(WbThread, KWAIT_BLOCK, Thread), 890 OFFSET(WbObject, KWAIT_BLOCK, Object), 891 OFFSET(WbNextWaitBlock, KWAIT_BLOCK, NextWaitBlock), // not in win10 892 OFFSET(WbWaitKey, KWAIT_BLOCK, WaitKey), 893 OFFSET(WbWaitType, KWAIT_BLOCK, WaitType), 894 895 #ifdef _M_AMD64 896 SIZE(KSTART_FRAME_LENGTH, KSTART_FRAME), 897 #endif 898 899 #if 0 900 901 CONSTANT(CFlushSize), 902 CONSTANT(Win32BatchFlushCallout), 903 CONSTANT(ServiceCpupReturnFromSimulatedCode), 904 CONSTANT(X86AMD64_R3_LONG_MODE_CODE), 905 CONSTANT(USER_CALLBACK_FILTER), 906 CONSTANT(SYSTEM_CALL_INT_2E), 907 908 HEADER("Process mitigation option flags"), 909 CONSTANT(PS_MITIGATION_OPTION_BITS_PER_OPTION), 910 CONSTANT(PS_MITIGATION_OPTION_ALWAYS_ON), 911 CONSTANT(PS_MITIGATION_OPTION_ALWAYS_OFF), 912 CONSTANT(PS_MITIGATION_OPTION_MASK), 913 CONSTANT(PS_MITIGATION_OPTION_RETURN_FLOW_GUARD), 914 CONSTANT(PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT), 915 916 #ifndef _M_ARM 917 HEADER("Bounds Callback Status Codes"), 918 CONSTANT(BoundExceptionContinueSearch), 919 CONSTANT(BoundExceptionHandled), 920 CONSTANT(BoundExceptionError), 921 #endif 922 923 HEADER("PS_SYSTEM_DLL_INIT_BLOCK"), 924 OFFSET(IbCfgBitMap, PS_SYSTEM_DLL_INIT_BLOCK, CfgBitMap), 925 OFFSET(IbWow64CfgBitMap, PS_SYSTEM_DLL_INIT_BLOCK, Wow64CfgBitMap), 926 OFFSET(IbMitigationOptionsMap, PS_SYSTEM_DLL_INIT_BLOCK, MitigationOptionsMap), 927 928 HEADER("Extended context"), 929 OFFSET(CxxLegacyOffset 0x8 930 OFFSET(CxxLegacyLength 0xc 931 OFFSET(CxxXStateOffset 0x10 932 OFFSET(CxxXStateLength 0x14 933 934 HEADER("Enclave call dispatch frame"), 935 OFFSET(EcEnclaveNumber, ???, EnclaveNumber), 936 OFFSET(EcParameterAddress, ???, ParameterAddress), 937 OFFSET(EcParameterValue, ???, ParameterValue), 938 OFFSET(EcOriginalReturn, ???, OriginalReturn), 939 OFFSET(EcFramePointer, ???, FramePointer), 940 OFFSET(EcReturnAddress, ???, ReturnAddress), 941 942 #ifndef _M_ARM 943 HEADER("Enlightenment"), 944 OFFSET(HeEnlightenments, ???, Enlightenments), 945 OFFSET(HeHypervisorConnected, ???, HypervisorConnected), 946 OFFSET(HeEndOfInterrupt, ???, EndOfInterrupt), 947 OFFSET(HeApicWriteIcr, ???, ApicWriteIcr), 948 OFFSET(HeSpinCountMask, ???, SpinCountMask), 949 OFFSET(HeLongSpinWait, ???, LongSpinWait), 950 #endif 951 952 HEADER("Processor Descriptor Area"), 953 OFFSET(PdaGdt, ????, ), 954 OFFSET(PdaKernelGsBase, ????, ), 955 956 OFFSET(PpFlags, ????, Flags), 957 OFFSET(EtwTSLength, ????, ), 958 OFFSET(CmThreadEnvironmentBlockOffset, ????, ), 959 OFFSET(PbEntropyCount, ????, ), 960 OFFSET(PbEntropyBuffer, ????, ), 961 962 #endif 963