1 2 3 HEADER("Pointer size"), 4 SIZE(SizeofPointer, PVOID), 5 6 HEADER("Bug Check Codes"), 7 CONSTANT(APC_INDEX_MISMATCH), 8 CONSTANT(INVALID_AFFINITY_SET), 9 CONSTANT(INVALID_DATA_ACCESS_TRAP), 10 CONSTANT(IRQL_NOT_GREATER_OR_EQUAL), 11 CONSTANT(IRQL_NOT_LESS_OR_EQUAL), // 0x0a 12 CONSTANT(NO_USER_MODE_CONTEXT), // 0x0e 13 CONSTANT(SPIN_LOCK_ALREADY_OWNED), // 0x0f 14 CONSTANT(SPIN_LOCK_NOT_OWNED), // 0x10 15 CONSTANT(THREAD_NOT_MUTEX_OWNER), // 0x11 16 CONSTANT(TRAP_CAUSE_UNKNOWN), // 0x12 17 CONSTANT(KMODE_EXCEPTION_NOT_HANDLED), // 0x1e 18 CONSTANT(KERNEL_APC_PENDING_DURING_EXIT), // 0x20 19 CONSTANT(PANIC_STACK_SWITCH), // 0x2b 20 CONSTANT(DATA_BUS_ERROR), // 0x2e 21 CONSTANT(INSTRUCTION_BUS_ERROR), // 0x2f 22 CONSTANT(SYSTEM_EXIT_OWNED_MUTEX), // 0x39 23 //CONSTANT(SYSTEM_UNWIND_PREVIOUS_USER), // 0x3a 24 //CONSTANT(SYSTEM_SERVICE_EXCEPTION), // 0x3b 25 //CONSTANT(INTERRUPT_UNWIND_ATTEMPTED), // 0x3c 26 //CONSTANT(INTERRUPT_EXCEPTION_NOT_HANDLED), // 0x3d 27 CONSTANT(PAGE_FAULT_WITH_INTERRUPTS_OFF), // 0x49 28 CONSTANT(IRQL_GT_ZERO_AT_SYSTEM_SERVICE), // 0x4a 29 CONSTANT(DATA_COHERENCY_EXCEPTION), // 0x55 30 CONSTANT(INSTRUCTION_COHERENCY_EXCEPTION), // 0x56 31 CONSTANT(HAL1_INITIALIZATION_FAILED), // 0x61 32 CONSTANT(UNEXPECTED_KERNEL_MODE_TRAP), // 0x7f 33 CONSTANT(NMI_HARDWARE_FAILURE), // 0x80 34 CONSTANT(SPIN_LOCK_INIT_FAILURE), // 0x81 35 CONSTANT(ATTEMPTED_SWITCH_FROM_DPC), // 0xb8 36 //CONSTANT(MUTEX_ALREADY_OWNED), // 0xbf 37 //CONSTANT(HARDWARE_INTERRUPT_STORM), // 0xf2 38 //CONSTANT(RECURSIVE_MACHINE_CHECK), // 0xfb 39 //CONSTANT(RECURSIVE_NMI), // 0x111 40 CONSTANT(KERNEL_SECURITY_CHECK_FAILURE), // 0x139 41 //CONSTANT(UNSUPPORTED_INSTRUCTION_MODE), // 0x151 42 //CONSTANT(BUGCHECK_CONTEXT_MODIFIER), // 0x80000000 43 44 HEADER("Breakpoints"), 45 CONSTANT(BREAKPOINT_BREAK), 46 CONSTANT(BREAKPOINT_PRINT), 47 CONSTANT(BREAKPOINT_PROMPT), 48 CONSTANT(BREAKPOINT_LOAD_SYMBOLS), 49 CONSTANT(BREAKPOINT_UNLOAD_SYMBOLS), 50 CONSTANT(BREAKPOINT_COMMAND_STRING), 51 52 HEADER("Context Frame Flags"), 53 CONSTANT(CONTEXT_FULL), 54 CONSTANT(CONTEXT_CONTROL), 55 CONSTANT(CONTEXT_INTEGER), 56 CONSTANT(CONTEXT_FLOATING_POINT), 57 CONSTANT(CONTEXT_DEBUG_REGISTERS), 58 #if defined(_M_IX86) || defined(_M_AMD64) 59 CONSTANT(CONTEXT_SEGMENTS), 60 #endif 61 62 HEADER("Exception flags"), 63 CONSTANT(EXCEPTION_NONCONTINUABLE), 64 CONSTANT(EXCEPTION_UNWINDING), 65 CONSTANT(EXCEPTION_EXIT_UNWIND), 66 CONSTANT(EXCEPTION_STACK_INVALID), 67 CONSTANT(EXCEPTION_NESTED_CALL), 68 CONSTANT(EXCEPTION_TARGET_UNWIND), 69 CONSTANT(EXCEPTION_COLLIDED_UNWIND), 70 CONSTANT(EXCEPTION_UNWIND), 71 CONSTANT(EXCEPTION_EXECUTE_HANDLER), 72 CONSTANT(EXCEPTION_CONTINUE_SEARCH), 73 CONSTANT(EXCEPTION_CONTINUE_EXECUTION), 74 #ifdef _X86_ 75 CONSTANT(EXCEPTION_CHAIN_END), 76 //CONSTANT(FIXED_NTVDMSTATE_LINEAR), /// FIXME ??? 77 #endif 78 79 HEADER("Exception types"), 80 CONSTANT(ExceptionContinueExecution), 81 CONSTANT(ExceptionContinueSearch), 82 CONSTANT(ExceptionNestedException), 83 CONSTANT(ExceptionCollidedUnwind), 84 85 HEADER("Fast Fail Constants"), 86 CONSTANT(FAST_FAIL_GUARD_ICALL_CHECK_FAILURE), 87 //CONSTANT(FAST_FAIL_INVALID_BUFFER_ACCESS), 88 #ifdef _M_ASM64 89 CONSTANT(FAST_FAIL_INVALID_JUMP_BUFFER), 90 CONSTANT(FAST_FAIL_INVALID_SET_OF_CONTEXT), 91 #endif // _M_ASM64 92 93 HEADER("Interrupt object types"), 94 CONSTANTX(InLevelSensitive, LevelSensitive), 95 CONSTANTX(InLatched, Latched), 96 97 HEADER("IPI"), 98 #ifndef _M_AMD64 99 CONSTANT(IPI_APC), 100 CONSTANT(IPI_DPC), 101 CONSTANT(IPI_FREEZE), 102 CONSTANT(IPI_PACKET_READY), 103 #endif // _M_AMD64 104 #ifdef _M_IX86 105 CONSTANT(IPI_SYNCH_REQUEST), 106 #endif // _M_IX86 107 108 HEADER("IRQL"), 109 CONSTANT(PASSIVE_LEVEL), 110 CONSTANT(APC_LEVEL), 111 CONSTANT(DISPATCH_LEVEL), 112 #ifdef _M_AMD64 113 CONSTANT(CLOCK_LEVEL), 114 #elif defined(_M_IX86) 115 CONSTANT(CLOCK1_LEVEL), 116 CONSTANT(CLOCK2_LEVEL), 117 #endif 118 CONSTANT(IPI_LEVEL), 119 CONSTANT(POWER_LEVEL), 120 CONSTANT(PROFILE_LEVEL), 121 CONSTANT(HIGH_LEVEL), 122 RAW("#ifdef NT_UP"), 123 {TYPE_CONSTANT, "SYNCH_LEVEL", DISPATCH_LEVEL}, 124 RAW("#else"), 125 {TYPE_CONSTANT, "SYNCH_LEVEL", (IPI_LEVEL - 2)}, 126 RAW("#endif"), 127 128 #if (NTDDI_VERSION >= NTDDI_WIN8) 129 HEADER("Entropy Timing Constants"), 130 CONSTANT(KENTROPY_TIMING_INTERRUPTS_PER_BUFFER), 131 CONSTANT(KENTROPY_TIMING_BUFFER_MASK), 132 CONSTANT(KENTROPY_TIMING_ANALYSIS), 133 #endif 134 135 HEADER("Lock Queue"), 136 CONSTANT(LOCK_QUEUE_WAIT), 137 CONSTANT(LOCK_QUEUE_OWNER), 138 CONSTANT(LockQueueDispatcherLock), /// FIXE: obsolete 139 140 //HEADER("Performance Definitions"), 141 //CONSTANT(PERF_CONTEXTSWAP_OFFSET), 142 //CONSTANT(PERF_CONTEXTSWAP_FLAG), 143 //CONSTANT(PERF_INTERRUPT_OFFSET), 144 //CONSTANT(PERF_INTERRUPT_FLAG), 145 //CONSTANT(PERF_SYSCALL_OFFSET), 146 //CONSTANT(PERF_SYSCALL_FLAG), 147 #ifndef _M_ARM 148 //CONSTANT(PERF_PROFILE_OFFSET), /// FIXE: obsolete 149 //CONSTANT(PERF_PROFILE_FLAG), /// FIXE: obsolete 150 //CONSTANT(PERF_SPINLOCK_OFFSET), /// FIXE: obsolete 151 //CONSTANT(PERF_SPINLOCK_FLAG), /// FIXE: obsolete 152 #endif 153 #ifdef _M_IX86 154 //CONSTANT(PERF_IPI_OFFSET), // 00008H 155 //CONSTANT(PERF_IPI_FLAG), // 0400000H 156 //CONSTANT(PERF_IPI), // 040400000H 157 //CONSTANT(PERF_INTERRUPT), // 020004000H 158 #endif 159 //CONSTANT(NTOS_YIELD_MACRO), 160 161 HEADER("Process states"), 162 CONSTANT(ProcessInMemory), 163 CONSTANT(ProcessOutOfMemory), 164 CONSTANT(ProcessInTransition), 165 166 HEADER("Processor mode"), 167 CONSTANT(KernelMode), 168 CONSTANT(UserMode), 169 170 HEADER("Service Table Constants"), 171 CONSTANT(NUMBER_SERVICE_TABLES), 172 CONSTANT(SERVICE_NUMBER_MASK), 173 CONSTANT(SERVICE_TABLE_SHIFT), 174 CONSTANT(SERVICE_TABLE_MASK), 175 CONSTANT(SERVICE_TABLE_TEST), 176 177 HEADER("Status codes"), 178 CONSTANT(STATUS_ACCESS_VIOLATION), 179 CONSTANT(STATUS_ASSERTION_FAILURE), 180 CONSTANT(STATUS_ARRAY_BOUNDS_EXCEEDED), 181 CONSTANT(STATUS_BAD_COMPRESSION_BUFFER), 182 CONSTANT(STATUS_BREAKPOINT), 183 CONSTANT(STATUS_CALLBACK_POP_STACK), 184 CONSTANT(STATUS_DATATYPE_MISALIGNMENT), 185 CONSTANT(STATUS_FLOAT_DENORMAL_OPERAND), 186 CONSTANT(STATUS_FLOAT_DIVIDE_BY_ZERO), 187 CONSTANT(STATUS_FLOAT_INEXACT_RESULT), 188 CONSTANT(STATUS_FLOAT_INVALID_OPERATION), 189 CONSTANT(STATUS_FLOAT_OVERFLOW), 190 CONSTANT(STATUS_FLOAT_STACK_CHECK), 191 CONSTANT(STATUS_FLOAT_UNDERFLOW), 192 CONSTANT(STATUS_FLOAT_MULTIPLE_FAULTS), 193 CONSTANT(STATUS_FLOAT_MULTIPLE_TRAPS), 194 CONSTANT(STATUS_GUARD_PAGE_VIOLATION), 195 CONSTANT(STATUS_ILLEGAL_FLOAT_CONTEXT), 196 CONSTANT(STATUS_ILLEGAL_INSTRUCTION), 197 CONSTANT(STATUS_INSTRUCTION_MISALIGNMENT), 198 CONSTANT(STATUS_INVALID_HANDLE), 199 CONSTANT(STATUS_INVALID_LOCK_SEQUENCE), 200 CONSTANT(STATUS_INVALID_OWNER), 201 CONSTANT(STATUS_INVALID_PARAMETER), 202 CONSTANT(STATUS_INVALID_PARAMETER_1), 203 CONSTANT(STATUS_INVALID_SYSTEM_SERVICE), 204 //CONSTANT(STATUS_INVALID_THREAD), 205 CONSTANT(STATUS_INTEGER_DIVIDE_BY_ZERO), 206 CONSTANT(STATUS_INTEGER_OVERFLOW), 207 CONSTANT(STATUS_IN_PAGE_ERROR), 208 CONSTANT(STATUS_KERNEL_APC), 209 CONSTANT(STATUS_LONGJUMP), 210 CONSTANT(STATUS_NO_CALLBACK_ACTIVE), 211 #ifndef _M_ARM 212 CONSTANT(STATUS_NO_EVENT_PAIR), /// FIXME: obsolete 213 #endif 214 CONSTANT(STATUS_PRIVILEGED_INSTRUCTION), 215 CONSTANT(STATUS_SINGLE_STEP), 216 CONSTANT(STATUS_STACK_BUFFER_OVERRUN), 217 CONSTANT(STATUS_STACK_OVERFLOW), 218 CONSTANT(STATUS_SUCCESS), 219 CONSTANT(STATUS_THREAD_IS_TERMINATING), 220 CONSTANT(STATUS_TIMEOUT), 221 CONSTANT(STATUS_UNWIND), 222 CONSTANT(STATUS_UNWIND_CONSOLIDATE), 223 CONSTANT(STATUS_USER_APC), 224 CONSTANT(STATUS_WAKE_SYSTEM), 225 CONSTANT(STATUS_WAKE_SYSTEM_DEBUGGER), 226 227 //HEADER("Thread flags"), 228 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING), 229 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING_LOCK_BIT), 230 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING_LOCK), 231 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING), 232 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING_LOCK_BIT), 233 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING_LOCK), 234 //CONSTANT(THREAD_FLAGS_CPU_THROTTLED), /// FIXME: obsolete 235 //CONSTANT(THREAD_FLAGS_CPU_THROTTLED_BIT), /// FIXME: obsolete 236 //CONSTANT(THREAD_FLAGS_ACCOUNTING_CSWITCH), 237 //CONSTANT(THREAD_FLAGS_ACCOUNTING_INTERRUPT), 238 //CONSTANT(THREAD_FLAGS_ACCOUNTING_ANY), 239 //CONSTANT(THREAD_FLAGS_GROUP_SCHEDULING), 240 //CONSTANT(THREAD_FLAGS_AFFINITY_SET), 241 #ifdef _M_IX86 242 //CONSTANT(THREAD_FLAGS_INSTRUMENTED), // 0x0040 243 //CONSTANT(THREAD_FLAGS_INSTRUMENTED_PROFILING), // 0x0041 244 #endif // _M_IX86 245 246 HEADER("TLS defines"), 247 CONSTANT(TLS_MINIMUM_AVAILABLE), 248 CONSTANT(TLS_EXPANSION_SLOTS), 249 250 HEADER("Thread states"), 251 CONSTANT(Initialized), 252 CONSTANT(Ready), 253 CONSTANT(Running), 254 CONSTANT(Standby), 255 CONSTANT(Terminated), 256 CONSTANT(Waiting), 257 #ifdef _M_ARM 258 CONSTANT(Transition), 259 CONSTANT(DeferredReady), 260 //CONSTANT(GateWaitObsolete), 261 #endif // _M_ARM 262 263 HEADER("Wait type / reason"), 264 CONSTANT(WrExecutive), 265 CONSTANT(WrMutex), /// FIXME: Obsolete 266 CONSTANT(WrDispatchInt), 267 CONSTANT(WrQuantumEnd), /// FIXME: Obsolete 268 CONSTANT(WrEventPair), /// FIXME: Obsolete 269 CONSTANT(WaitAny), 270 CONSTANT(WaitAll), 271 272 HEADER("Stack sizes"), 273 CONSTANT(KERNEL_STACK_SIZE), /// FIXME: Obsolete 274 CONSTANT(KERNEL_LARGE_STACK_SIZE), 275 CONSTANT(KERNEL_LARGE_STACK_COMMIT), /// FIXME: Obsolete 276 //CONSTANT(DOUBLE_FAULT_STACK_SIZE), 277 #ifdef _M_AMD64 278 CONSTANT(KERNEL_MCA_EXCEPTION_STACK_SIZE), 279 CONSTANT(NMI_STACK_SIZE), 280 CONSTANT(ISR_STACK_SIZE), 281 #endif 282 283 //CONSTANT(KTHREAD_AUTO_ALIGNMENT_BIT), 284 //CONSTANT(KTHREAD_GUI_THREAD_MASK), 285 //CONSTANT(KTHREAD_SYSTEM_THREAD_BIT), 286 //CONSTANT(KTHREAD_QUEUE_DEFER_PREEMPTION_BIT), 287 288 HEADER("Miscellaneous Definitions"), 289 CONSTANT(TRUE), 290 CONSTANT(FALSE), 291 CONSTANT(PAGE_SIZE), 292 CONSTANT(Executive), 293 //CONSTANT(BASE_PRIORITY_THRESHOLD), 294 //CONSTANT(EVENT_PAIR_INCREMENT), /// FIXME: obsolete 295 CONSTANT(LOW_REALTIME_PRIORITY), 296 CONSTANT(CLOCK_QUANTUM_DECREMENT), 297 //CONSTANT(READY_SKIP_QUANTUM), 298 //CONSTANT(THREAD_QUANTUM), 299 CONSTANT(WAIT_QUANTUM_DECREMENT), 300 //CONSTANT(ROUND_TRIP_DECREMENT_COUNT), 301 CONSTANT(MAXIMUM_PROCESSORS), 302 CONSTANT(INITIAL_STALL_COUNT), 303 //CONSTANT(EXCEPTION_EXECUTE_FAULT), // amd64 304 //CONSTANT(KCACHE_ERRATA_MONITOR_FLAGS), // not arm 305 //CONSTANT(KI_DPC_ALL_FLAGS), 306 //CONSTANT(KI_DPC_ANY_DPC_ACTIVE), 307 //CONSTANT(KI_DPC_INTERRUPT_FLAGS), // 0x2f arm and x64 308 //CONSTANT(KI_EXCEPTION_GP_FAULT), // not i386 309 //CONSTANT(KI_EXCEPTION_INVALID_OP), // not i386 310 //CONSTANT(KI_EXCEPTION_INTEGER_DIVIDE_BY_ZERO), // amd64 311 CONSTANT(KI_EXCEPTION_ACCESS_VIOLATION), 312 //CONSTANT(KINTERRUPT_STATE_DISABLED_BIT), 313 //CONSTANT(KINTERRUPT_STATE_DISABLED), 314 //CONSTANT(TARGET_FREEZE), // amd64 315 //CONSTANT(BlackHole), // FIXME: obsolete 316 CONSTANT(DBG_STATUS_CONTROL_C), 317 //CONSTANTPTR(USER_SHARED_DATA), // FIXME: we need the kernel mode address here! 318 //CONSTANT(MM_SHARED_USER_DATA_VA), 319 //CONSTANT(KERNEL_STACK_CONTROL_LARGE_STACK), // FIXME: obsolete 320 //CONSTANT(DISPATCH_LENGTH), // FIXME: obsolete 321 //CONSTANT(MAXIMUM_PRIMARY_VECTOR), // not arm 322 //CONSTANT(KI_SLIST_FAULT_COUNT_MAXIMUM), // i386 323 //CONSTANTUSER_CALLBACK_FILTER), 324 325 #ifndef _M_ARM 326 CONSTANT(MAXIMUM_IDTVECTOR), 327 //CONSTANT(MAXIMUM_PRIMARY_VECTOR), 328 CONSTANT(PRIMARY_VECTOR_BASE), 329 CONSTANT(RPL_MASK), 330 CONSTANT(MODE_MASK), 331 //MODE_BIT equ 00000H amd64 332 //LDT_MASK equ 00004H amd64 333 #endif 334 335 336 /* STRUCTURE OFFSETS *********************************************************/ 337 338 //HEADER("KAFFINITY_EX"), 339 //OFFSET(AfCount, KAFFINITY_EX, Count), 340 //OFFSET(AfBitmap, KAFFINITY_EX, Bitmap), 341 342 //HEADER("Aligned Affinity"), 343 //OFFSET(AfsCpuSet, ???, CpuSet), // FIXME: obsolete 344 345 HEADER("KAPC"), 346 OFFSET(ApType, KAPC, Type), 347 OFFSET(ApSize, KAPC, Size), 348 OFFSET(ApThread, KAPC, Thread), 349 OFFSET(ApApcListEntry, KAPC, ApcListEntry), 350 OFFSET(ApKernelRoutine, KAPC, KernelRoutine), 351 OFFSET(ApRundownRoutine, KAPC, RundownRoutine), 352 OFFSET(ApNormalRoutine, KAPC, NormalRoutine), 353 OFFSET(ApNormalContext, KAPC, NormalContext), 354 OFFSET(ApSystemArgument1, KAPC, SystemArgument1), 355 OFFSET(ApSystemArgument2, KAPC, SystemArgument2), 356 OFFSET(ApApcStateIndex, KAPC, ApcStateIndex), 357 OFFSET(ApApcMode, KAPC, ApcMode), 358 OFFSET(ApInserted, KAPC, Inserted), 359 SIZE(ApcObjectLength, KAPC), 360 361 HEADER("KAPC offsets (relative to NormalRoutine)"), 362 RELOFFSET(ArNormalRoutine, KAPC, NormalRoutine, NormalRoutine), 363 RELOFFSET(ArNormalContext, KAPC, NormalContext, NormalRoutine), 364 RELOFFSET(ArSystemArgument1, KAPC, SystemArgument1, NormalRoutine), 365 RELOFFSET(ArSystemArgument2, KAPC, SystemArgument2, NormalRoutine), 366 CONSTANTX(ApcRecordLength, 4 * sizeof(PVOID)), 367 368 HEADER("KAPC_STATE"), 369 OFFSET(AsApcListHead, KAPC_STATE, ApcListHead), 370 OFFSET(AsProcess, KAPC_STATE, Process), 371 OFFSET(AsKernelApcInProgress, KAPC_STATE, KernelApcInProgress), // FIXME: obsolete 372 OFFSET(AsKernelApcPending, KAPC_STATE, KernelApcPending), 373 OFFSET(AsUserApcPending, KAPC_STATE, UserApcPending), 374 375 HEADER("CLIENT_ID"), 376 OFFSET(CidUniqueProcess, CLIENT_ID, UniqueProcess), 377 OFFSET(CidUniqueThread, CLIENT_ID, UniqueThread), 378 379 HEADER("RTL_CRITICAL_SECTION"), 380 OFFSET(CsDebugInfo, RTL_CRITICAL_SECTION, DebugInfo), 381 OFFSET(CsLockCount, RTL_CRITICAL_SECTION, LockCount), 382 OFFSET(CsRecursionCount, RTL_CRITICAL_SECTION, RecursionCount), 383 OFFSET(CsOwningThread, RTL_CRITICAL_SECTION, OwningThread), 384 OFFSET(CsLockSemaphore, RTL_CRITICAL_SECTION, LockSemaphore), 385 OFFSET(CsSpinCount, RTL_CRITICAL_SECTION, SpinCount), 386 387 HEADER("RTL_CRITICAL_SECTION_DEBUG"), 388 OFFSET(CsType, RTL_CRITICAL_SECTION_DEBUG, Type), 389 OFFSET(CsCreatorBackTraceIndex, RTL_CRITICAL_SECTION_DEBUG, CreatorBackTraceIndex), 390 OFFSET(CsCriticalSection, RTL_CRITICAL_SECTION_DEBUG, CriticalSection), 391 OFFSET(CsProcessLocksList, RTL_CRITICAL_SECTION_DEBUG, ProcessLocksList), 392 OFFSET(CsEntryCount, RTL_CRITICAL_SECTION_DEBUG, EntryCount), 393 OFFSET(CsContentionCount, RTL_CRITICAL_SECTION_DEBUG, ContentionCount), 394 395 HEADER("KDEVICE_QUEUE_ENTRY"), 396 OFFSET(DeDeviceListEntry, KDEVICE_QUEUE_ENTRY, DeviceListEntry), 397 OFFSET(DeSortKey, KDEVICE_QUEUE_ENTRY, SortKey), 398 OFFSET(DeInserted, KDEVICE_QUEUE_ENTRY, Inserted), 399 SIZE(DeviceQueueEntryLength, KDEVICE_QUEUE_ENTRY), 400 401 HEADER("KDPC"), 402 OFFSET(DpType, KDPC, Type), 403 OFFSET(DpImportance, KDPC, Importance), 404 OFFSET(DpNumber, KDPC, Number), 405 OFFSET(DpDpcListEntry, KDPC, DpcListEntry), 406 OFFSET(DpDeferredRoutine, KDPC, DeferredRoutine), 407 OFFSET(DpDeferredContext, KDPC, DeferredContext), 408 OFFSET(DpSystemArgument1, KDPC, SystemArgument1), 409 OFFSET(DpSystemArgument2, KDPC, SystemArgument2), 410 OFFSET(DpDpcData, KDPC, DpcData), 411 SIZE(DpcObjectLength, KDPC), 412 413 HEADER("KDEVICE_QUEUE"), 414 OFFSET(DvType, KDEVICE_QUEUE, Type), 415 OFFSET(DvSize, KDEVICE_QUEUE, Size), 416 OFFSET(DvDeviceListHead, KDEVICE_QUEUE, DeviceListHead), 417 OFFSET(DvSpinLock, KDEVICE_QUEUE, Lock), 418 OFFSET(DvBusy, KDEVICE_QUEUE, Busy), 419 SIZE(DeviceQueueObjectLength, KDEVICE_QUEUE), 420 421 HEADER("EXCEPTION_RECORD"), 422 OFFSET(ErExceptionCode, EXCEPTION_RECORD, ExceptionCode), 423 OFFSET(ErExceptionFlags, EXCEPTION_RECORD, ExceptionFlags), 424 OFFSET(ErExceptionRecord, EXCEPTION_RECORD, ExceptionRecord), 425 OFFSET(ErExceptionAddress, EXCEPTION_RECORD, ExceptionAddress), 426 OFFSET(ErNumberParameters, EXCEPTION_RECORD, NumberParameters), 427 OFFSET(ErExceptionInformation, EXCEPTION_RECORD, ExceptionInformation), 428 SIZE(ExceptionRecordLength, EXCEPTION_RECORD), 429 SIZE(EXCEPTION_RECORD_LENGTH, EXCEPTION_RECORD), // not 1386 430 431 HEADER("EPROCESS"), 432 OFFSET(EpDebugPort, EPROCESS, DebugPort), 433 #if defined(_M_IX86) 434 OFFSET(EpVdmObjects, EPROCESS, VdmObjects), 435 #elif defined(_M_AMD64) 436 OFFSET(EpWow64Process, EPROCESS, Wow64Process), 437 #endif 438 SIZE(ExecutiveProcessObjectLength, EPROCESS), 439 440 HEADER("ETHREAD offsets"), 441 OFFSET(EtCid, ETHREAD, Cid), // 0x364 442 SIZE(ExecutiveThreadObjectLength, ETHREAD), // 0x418 443 444 HEADER("KEVENT"), 445 OFFSET(EvType, KEVENT, Header.Type), 446 OFFSET(EvSize, KEVENT, Header.Size), 447 OFFSET(EvSignalState, KEVENT, Header.SignalState), 448 OFFSET(EvWaitListHead, KEVENT, Header.WaitListHead), 449 SIZE(EventObjectLength, KEVENT), 450 451 HEADER("FIBER"), 452 OFFSET(FbFiberData, FIBER, FiberData), 453 OFFSET(FbExceptionList, FIBER, ExceptionList), 454 OFFSET(FbStackBase, FIBER, StackBase), 455 OFFSET(FbStackLimit, FIBER, StackLimit), 456 OFFSET(FbDeallocationStack, FIBER, DeallocationStack), 457 OFFSET(FbFiberContext, FIBER, FiberContext), 458 //OFFSET(FbWx86Tib, FIBER, Wx86Tib), 459 //OFFSET(FbActivationContextStackPointer, FIBER, ActivationContextStackPointer), 460 OFFSET(FbFlsData, FIBER, FlsData), 461 OFFSET(FbGuaranteedStackBytes, FIBER, GuaranteedStackBytes), 462 //OFFSET(FbTebFlags, FIBER, TebFlags), 463 464 HEADER("FAST_MUTEX"), 465 OFFSET(FmCount, FAST_MUTEX, Count), 466 OFFSET(FmOwner, FAST_MUTEX, Owner), 467 OFFSET(FmContention, FAST_MUTEX, Contention), 468 //OFFSET(FmGate, FAST_MUTEX, Gate), // obsolete 469 OFFSET(FmOldIrql, FAST_MUTEX, OldIrql), 470 471 #ifndef _M_ARM 472 HEADER("GETSETCONTEXT offsets"), // GET_SET_CTX_CONTEXT 473 OFFSET(GetSetCtxContextPtr, GETSETCONTEXT, Context), 474 #endif // _M_ARM 475 476 HEADER("KINTERRUPT"), 477 OFFSET(InType, KINTERRUPT, Type), 478 OFFSET(InSize, KINTERRUPT, Size), 479 OFFSET(InInterruptListEntry, KINTERRUPT, InterruptListEntry), 480 OFFSET(InServiceRoutine, KINTERRUPT, ServiceRoutine), 481 OFFSET(InServiceContext, KINTERRUPT, ServiceContext), 482 OFFSET(InSpinLock, KINTERRUPT, SpinLock), 483 OFFSET(InTickCount, KINTERRUPT, TickCount), 484 OFFSET(InActualLock, KINTERRUPT, ActualLock), 485 OFFSET(InDispatchAddress, KINTERRUPT, DispatchAddress), 486 OFFSET(InVector, KINTERRUPT, Vector), 487 OFFSET(InIrql, KINTERRUPT, Irql), 488 OFFSET(InSynchronizeIrql, KINTERRUPT, SynchronizeIrql), 489 OFFSET(InFloatingSave, KINTERRUPT, FloatingSave), 490 OFFSET(InConnected, KINTERRUPT, Connected), 491 OFFSET(InNumber, KINTERRUPT, Number), 492 OFFSET(InShareVector, KINTERRUPT, ShareVector), 493 //OFFSET(InInternalState, KINTERRUPT, InternalState), 494 OFFSET(InMode, KINTERRUPT, Mode), 495 OFFSET(InServiceCount, KINTERRUPT, ServiceCount), 496 OFFSET(InDispatchCount, KINTERRUPT, DispatchCount), 497 //OFFSET(InTrapFrame, KINTERRUPT, TrapFrame), // amd64 498 OFFSET(InDispatchCode, KINTERRUPT, DispatchCode), // obsolete 499 SIZE(InterruptObjectLength, KINTERRUPT), 500 501 #ifdef _M_AMD64 502 HEADER("IO_STATUS_BLOCK"), 503 OFFSET(IoStatus, IO_STATUS_BLOCK, Status), 504 OFFSET(IoPointer, IO_STATUS_BLOCK, Pointer), 505 OFFSET(IoInformation, IO_STATUS_BLOCK, Information), 506 #endif /* _M_AMD64 */ 507 508 #if (NTDDI_VERSION >= NTDDI_WIN8) 509 HEADER("KSTACK_CONTROL"), 510 OFFSET(KcCurrentBase, KSTACK_CONTROL, StackBase), 511 OFFSET(KcActualLimit, KSTACK_CONTROL, ActualLimit), 512 OFFSET(KcPreviousBase, KSTACK_CONTROL, Previous.StackBase), 513 OFFSET(KcPreviousLimit, KSTACK_CONTROL, Previous.StackLimit), 514 OFFSET(KcPreviousKernel, KSTACK_CONTROL, Previous.KernelStack), 515 OFFSET(KcPreviousInitial, KSTACK_CONTROL, Previous.InitialStack), 516 #ifdef _IX86 517 OFFSET(KcTrapFrame, KSTACK_CONTROL, PreviousTrapFrame), 518 OFFSET(KcExceptionList, KSTACK_CONTROL, PreviousExceptionList), 519 #endif // _IX86 520 SIZE(KSTACK_CONTROL_LENGTH, KSTACK_CONTROL), 521 CONSTANT(KSTACK_ACTUAL_LIMIT_EXPANDED), // move somewhere else? 522 #else 523 //HEADER("KERNEL_STACK_CONTROL"), 524 #endif 525 526 #if 0 // no longer in win 10, different struct 527 HEADER("KNODE"), 528 //OFFSET(KnRight, KNODE, Right), 529 //OFFSET(KnLeft, KNODE, Left), 530 OFFSET(KnPfnDereferenceSListHead, KNODE, PfnDereferenceSListHead), 531 OFFSET(KnProcessorMask, KNODE, ProcessorMask), 532 OFFSET(KnColor, KNODE, Color), 533 OFFSET(KnSeed, KNODE, Seed), 534 OFFSET(KnNodeNumber, KNODE, NodeNumber), 535 OFFSET(KnFlags, KNODE, Flags), 536 OFFSET(KnMmShiftedColor, KNODE, MmShiftedColor), 537 OFFSET(KnFreeCount, KNODE, FreeCount), 538 OFFSET(KnPfnDeferredList, KNODE, PfnDeferredList), 539 SIZE(KNODE_SIZE, KNODE), 540 #endif 541 542 HEADER("KSPIN_LOCK_QUEUE"), 543 OFFSET(LqNext, KSPIN_LOCK_QUEUE, Next), 544 OFFSET(LqLock, KSPIN_LOCK_QUEUE, Lock), 545 SIZE(LOCK_QUEUE_HEADER_SIZE, KSPIN_LOCK_QUEUE), 546 547 HEADER("KLOCK_QUEUE_HANDLE"), 548 OFFSET(LqhLockQueue, KLOCK_QUEUE_HANDLE, LockQueue), 549 OFFSET(LqhNext, KLOCK_QUEUE_HANDLE, LockQueue.Next), 550 OFFSET(LqhLock, KLOCK_QUEUE_HANDLE, LockQueue.Lock), 551 OFFSET(LqhOldIrql, KLOCK_QUEUE_HANDLE, OldIrql), 552 553 HEADER("LARGE_INTEGER"), 554 OFFSET(LiLowPart, LARGE_INTEGER, LowPart), 555 OFFSET(LiHighPart, LARGE_INTEGER, HighPart), 556 557 HEADER("LOADER_PARAMETER_BLOCK (rel. to LoadOrderListHead)"), 558 RELOFFSET(LpbKernelStack, LOADER_PARAMETER_BLOCK, KernelStack, LoadOrderListHead), 559 RELOFFSET(LpbPrcb, LOADER_PARAMETER_BLOCK, Prcb, LoadOrderListHead), 560 RELOFFSET(LpbProcess, LOADER_PARAMETER_BLOCK, Process, LoadOrderListHead), 561 RELOFFSET(LpbThread, LOADER_PARAMETER_BLOCK, Thread, LoadOrderListHead), 562 563 HEADER("LIST_ENTRY"), 564 OFFSET(LsFlink, LIST_ENTRY, Flink), 565 OFFSET(LsBlink, LIST_ENTRY, Blink), 566 567 HEADER("PEB"), 568 OFFSET(PeBeingDebugged, PEB, BeingDebugged), 569 OFFSET(PeProcessParameters, PEB, ProcessParameters), 570 OFFSET(PeKernelCallbackTable, PEB, KernelCallbackTable), 571 SIZE(ProcessEnvironmentBlockLength, PEB), 572 573 HEADER("KPROFILE"), 574 OFFSET(PfType, KPROFILE, Type), 575 OFFSET(PfSize, KPROFILE, Size), 576 OFFSET(PfProfileListEntry, KPROFILE, ProfileListEntry), 577 OFFSET(PfProcess, KPROFILE, Process), 578 OFFSET(PfRangeBase, KPROFILE, RangeBase), 579 OFFSET(PfRangeLimit, KPROFILE, RangeLimit), 580 OFFSET(PfBucketShift, KPROFILE, BucketShift), 581 OFFSET(PfBuffer, KPROFILE, Buffer), 582 OFFSET(PfSegment, KPROFILE, Segment), 583 OFFSET(PfAffinity, KPROFILE, Affinity), 584 OFFSET(PfSource, KPROFILE, Source), 585 OFFSET(PfStarted, KPROFILE, Started), 586 SIZE(ProfileObjectLength, KPROFILE), 587 588 HEADER("PORT_MESSAGE"), // whole thing obsolete in win10 589 OFFSET(PmLength, PORT_MESSAGE, u1.Length), 590 OFFSET(PmZeroInit, PORT_MESSAGE, u2.ZeroInit), 591 OFFSET(PmClientId, PORT_MESSAGE, ClientId), 592 OFFSET(PmProcess, PORT_MESSAGE, ClientId.UniqueProcess), 593 OFFSET(PmThread, PORT_MESSAGE, ClientId.UniqueThread), 594 OFFSET(PmMessageId, PORT_MESSAGE, MessageId), 595 OFFSET(PmClientViewSize, PORT_MESSAGE, ClientViewSize), 596 SIZE(PortMessageLength, PORT_MESSAGE), 597 598 HEADER("KPROCESS"), 599 OFFSET(PrType, KPROCESS, Header.Type), 600 OFFSET(PrSize, KPROCESS, Header.Size), 601 OFFSET(PrSignalState, KPROCESS, Header.SignalState), 602 OFFSET(PrProfileListHead, KPROCESS, ProfileListHead), 603 OFFSET(PrDirectoryTableBase, KPROCESS, DirectoryTableBase), 604 #ifdef _M_ARM 605 //OFFSET(PrPageDirectory, KPROCESS, PageDirectory), 606 #elif defined(_M_IX86) 607 OFFSET(PrLdtDescriptor, KPROCESS, LdtDescriptor), 608 OFFSET(PrInt21Descriptor, KPROCESS, Int21Descriptor), 609 #endif 610 OFFSET(PrThreadListHead, KPROCESS, ThreadListHead), 611 OFFSET(PrAffinity, KPROCESS, Affinity), 612 OFFSET(PrReadyListHead, KPROCESS, ReadyListHead), 613 OFFSET(PrSwapListEntry, KPROCESS, SwapListEntry), 614 OFFSET(PrActiveProcessors, KPROCESS, ActiveProcessors), 615 OFFSET(PrProcessFlags, KPROCESS, ProcessFlags), 616 OFFSET(PrBasePriority, KPROCESS, BasePriority), 617 OFFSET(PrQuantumReset, KPROCESS, QuantumReset), 618 #if defined(_M_IX86) 619 OFFSET(PrIopmOffset, KPROCESS, IopmOffset), 620 #endif 621 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 622 OFFSET(PrCycleTime, KPROCESS, CycleTime), 623 #endif 624 OFFSET(PrKernelTime, KPROCESS, KernelTime), 625 OFFSET(PrUserTime, KPROCESS, UserTime), 626 #if defined(_M_AMD64) || defined(_M_ARM) 627 //OFFSET(PrInstrumentationCallback, KPROCESS, InstrumentationCallback), 628 #elif defined(_M_IX86) 629 OFFSET(PrVdmTrapcHandler, KPROCESS, VdmTrapcHandler), 630 //OFFSET(PrVdmObjects, KPROCESS, VdmObjects), 631 OFFSET(PrFlags, KPROCESS, Flags), 632 //PrInstrumentationCallback equ 0031CH // ??? 633 #endif 634 SIZE(KernelProcessObjectLength, KPROCESS), 635 636 HEADER("KQUEUE"), 637 OFFSET(QuType, KQUEUE, Header.Type), // not in win10 638 OFFSET(QuSize, KQUEUE, Header.Size), // not in win10 639 OFFSET(QuSignalState, KQUEUE, Header.SignalState), 640 OFFSET(QuEntryListHead, KQUEUE, EntryListHead), 641 OFFSET(QuCurrentCount, KQUEUE, CurrentCount), 642 OFFSET(QuMaximumCount, KQUEUE, MaximumCount), 643 OFFSET(QuThreadListHead, KQUEUE, ThreadListHead), 644 SIZE(QueueObjectLength, KQUEUE), 645 646 HEADER("KSERVICE_TABLE_DESCRIPTOR offsets"), 647 OFFSET(SdBase, KSERVICE_TABLE_DESCRIPTOR, Base), 648 OFFSET(SdCount, KSERVICE_TABLE_DESCRIPTOR, Count), // not in win10 649 OFFSET(SdLimit, KSERVICE_TABLE_DESCRIPTOR, Limit), 650 OFFSET(SdNumber, KSERVICE_TABLE_DESCRIPTOR, Number), 651 SIZE(SdLength, KSERVICE_TABLE_DESCRIPTOR), 652 653 HEADER("STRING"), 654 OFFSET(StrLength, STRING, Length), 655 OFFSET(StrMaximumLength, STRING, MaximumLength), 656 OFFSET(StrBuffer, STRING, Buffer), 657 658 HEADER("TEB"), 659 #if defined(_M_IX86) 660 OFFSET(TeExceptionList, TEB, NtTib.ExceptionList), 661 #elif defined(_M_AMD64) 662 OFFSET(TeCmTeb, TEB, NtTib), 663 #endif 664 OFFSET(TeStackBase, TEB, NtTib.StackBase), 665 OFFSET(TeStackLimit, TEB, NtTib.StackLimit), 666 OFFSET(TeFiberData, TEB, NtTib.FiberData), 667 OFFSET(TeSelf, TEB, NtTib.Self), 668 OFFSET(TeEnvironmentPointer, TEB, EnvironmentPointer), 669 OFFSET(TeClientId, TEB, ClientId), 670 OFFSET(TeActiveRpcHandle, TEB, ActiveRpcHandle), 671 OFFSET(TeThreadLocalStoragePointer, TEB, ThreadLocalStoragePointer), 672 OFFSET(TePeb, TEB, ProcessEnvironmentBlock), 673 OFFSET(TeLastErrorValue, TEB, LastErrorValue), 674 OFFSET(TeCountOfOwnedCriticalSections, TEB, CountOfOwnedCriticalSections), 675 OFFSET(TeCsrClientThread, TEB, CsrClientThread), 676 OFFSET(TeWOW32Reserved, TEB, WOW32Reserved), 677 //OFFSET(TeSoftFpcr, TEB, SoftFpcr), 678 OFFSET(TeExceptionCode, TEB, ExceptionCode), 679 OFFSET(TeActivationContextStackPointer, TEB, ActivationContextStackPointer), 680 //#if (NTDDI_VERSION >= NTDDI_WIN10) 681 //OFFSET(TeInstrumentationCallbackSp, TEB, InstrumentationCallbackSp), 682 //OFFSET(TeInstrumentationCallbackPreviousPc, TEB, InstrumentationCallbackPreviousPc), 683 //OFFSET(TeInstrumentationCallbackPreviousSp, TEB, InstrumentationCallbackPreviousSp), 684 //#endif 685 OFFSET(TeGdiClientPID, TEB, GdiClientPID), 686 OFFSET(TeGdiClientTID, TEB, GdiClientTID), 687 OFFSET(TeGdiThreadLocalInfo, TEB, GdiThreadLocalInfo), 688 OFFSET(TeglDispatchTable, TEB, glDispatchTable), 689 OFFSET(TeglReserved1, TEB, glReserved1), 690 OFFSET(TeglReserved2, TEB, glReserved2), 691 OFFSET(TeglSectionInfo, TEB, glSectionInfo), 692 OFFSET(TeglSection, TEB, glSection), 693 OFFSET(TeglTable, TEB, glTable), 694 OFFSET(TeglCurrentRC, TEB, glCurrentRC), 695 OFFSET(TeglContext, TEB, glContext), 696 OFFSET(TeDeallocationStack, TEB, DeallocationStack), 697 OFFSET(TeTlsSlots, TEB, TlsSlots), 698 OFFSET(TeVdm, TEB, Vdm), 699 OFFSET(TeInstrumentation, TEB, Instrumentation), 700 OFFSET(TeGdiBatchCount, TEB, GdiBatchCount), 701 OFFSET(TeGuaranteedStackBytes, TEB, GuaranteedStackBytes), 702 OFFSET(TeTlsExpansionSlots, TEB, TlsExpansionSlots), 703 OFFSET(TeFlsData, TEB, FlsData), 704 SIZE(ThreadEnvironmentBlockLength, TEB), 705 706 HEADER("TIME_FIELDS"), 707 OFFSET(TfYear, TIME_FIELDS, Year), 708 OFFSET(TfMonth, TIME_FIELDS, Month), 709 OFFSET(TfDay, TIME_FIELDS, Day), 710 OFFSET(TfHour, TIME_FIELDS, Hour), 711 OFFSET(TfMinute, TIME_FIELDS, Minute), 712 OFFSET(TfSecond, TIME_FIELDS, Second), 713 OFFSET(TfMilliseconds, TIME_FIELDS, Milliseconds), 714 OFFSET(TfWeekday, TIME_FIELDS, Weekday), 715 716 HEADER("KTHREAD"), 717 OFFSET(ThType, KTHREAD, Header.Type), 718 OFFSET(ThLock, KTHREAD, Header.Lock), 719 OFFSET(ThSize, KTHREAD, Header.Size), 720 OFFSET(ThThreadControlFlags, KTHREAD, Header.ThreadControlFlags), 721 OFFSET(ThDebugActive, KTHREAD, Header.DebugActive), 722 OFFSET(ThSignalState, KTHREAD, Header.SignalState), 723 OFFSET(ThInitialStack, KTHREAD, InitialStack), 724 OFFSET(ThStackLimit, KTHREAD, StackLimit), 725 OFFSET(ThStackBase, KTHREAD, StackBase), 726 OFFSET(ThThreadLock, KTHREAD, ThreadLock), 727 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 728 OFFSET(ThCycleTime, KTHREAD, CycleTime), 729 #if defined(_M_IX86) 730 OFFSET(ThHighCycleTime, KTHREAD, HighCycleTime), 731 #endif 732 #endif /* (NTDDI_VERSION >= NTDDI_LONGHORN) */ 733 #if defined(_M_IX86) 734 OFFSET(ThServiceTable, KTHREAD, ServiceTable), 735 #endif 736 //OFFSET(ThCurrentRunTime, KTHREAD, CurrentRunTime), 737 //OFFSET(ThStateSaveArea, KTHREAD, StateSaveArea), // 0x3C not arm 738 OFFSET(ThKernelStack, KTHREAD, KernelStack), 739 #if (NTDDI_VERSION >= NTDDI_WIN7) 740 OFFSET(ThRunning, KTHREAD, Running), 741 #endif /* (NTDDI_VERSION >= NTDDI_WIN7) */ 742 OFFSET(ThAlerted, KTHREAD, Alerted), 743 #if (NTDDI_VERSION >= NTDDI_WIN7) 744 OFFSET(ThMiscFlags, KTHREAD, MiscFlags), 745 #endif /* (NTDDI_VERSION >= NTDDI_WIN7) */ 746 OFFSET(ThThreadFlags, KTHREAD, ThreadFlags), 747 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 748 OFFSET(ThSystemCallNumber, KTHREAD, SystemCallNumber), 749 #endif /* (NTDDI_VERSION >= NTDDI_LONGHORN) */ 750 //OFFSET(ThFirstArgument, KTHREAD, FirstArgument), 751 OFFSET(ThTrapFrame, KTHREAD, TrapFrame), 752 OFFSET(ThApcState, KTHREAD, ApcState), 753 OFFSET(ThPriority, KTHREAD, Priority), 754 OFFSET(ThContextSwitches, KTHREAD, ContextSwitches), 755 OFFSET(ThState, KTHREAD, State), 756 OFFSET(ThNpxState, KTHREAD, NpxState), 757 OFFSET(ThWaitIrql, KTHREAD, WaitIrql), 758 OFFSET(ThWaitMode, KTHREAD, WaitMode), 759 OFFSET(ThTeb, KTHREAD, Teb), 760 OFFSET(ThTimer, KTHREAD, Timer), 761 OFFSET(ThWin32Thread, KTHREAD, Win32Thread), 762 OFFSET(ThWaitTime, KTHREAD, WaitTime), 763 OFFSET(ThCombinedApcDisable, KTHREAD, CombinedApcDisable), 764 OFFSET(ThKernelApcDisable, KTHREAD, KernelApcDisable), 765 OFFSET(ThSpecialApcDisable, KTHREAD, SpecialApcDisable), 766 #if defined(_M_ARM) 767 //OFFSET(ThVfpState, KTHREAD, VfpState), 768 #endif 769 OFFSET(ThNextProcessor, KTHREAD, NextProcessor), 770 OFFSET(ThProcess, KTHREAD, Process), 771 OFFSET(ThPreviousMode, KTHREAD, PreviousMode), 772 OFFSET(ThPriorityDecrement, KTHREAD, PriorityDecrement), 773 OFFSET(ThAdjustReason, KTHREAD, AdjustReason), 774 OFFSET(ThAdjustIncrement, KTHREAD, AdjustIncrement), 775 OFFSET(ThAffinity, KTHREAD, Affinity), 776 OFFSET(ThApcStateIndex, KTHREAD, ApcStateIndex), 777 OFFSET(ThIdealProcessor, KTHREAD, IdealProcessor), 778 OFFSET(ThApcStatePointer, KTHREAD, ApcStatePointer), 779 OFFSET(ThSavedApcState, KTHREAD, SavedApcState), 780 OFFSET(ThWaitReason, KTHREAD, WaitReason), 781 OFFSET(ThSaturation, KTHREAD, Saturation), 782 OFFSET(ThLegoData, KTHREAD, LegoData), 783 //#if defined(_M_ARM) && (NTDDI_VERSION >= NTDDI_WIN10) 784 //#define ThUserRoBase 0x434 785 //#define ThUserRwBase 0x438 786 //#endif 787 #ifdef _M_IX86 788 OFFSET(ThSListFaultCount, KTHREAD, WaitReason), // 0x18E 789 OFFSET(ThSListFaultAddress, KTHREAD, WaitReason), // 0x10 790 #endif // _M_IX86 791 #if defined(_M_IX86) || defined(_M_AMD64) 792 OFFSET(ThUserFsBase, KTHREAD, WaitReason), // 0x434 793 OFFSET(ThUserGsBase, KTHREAD, WaitReason), // 0x438 794 #endif // defined 795 SIZE(KernelThreadObjectLength, KTHREAD), 796 797 HEADER("KTIMER"), 798 OFFSET(TiType, KTIMER, Header.Type), 799 OFFSET(TiSize, KTIMER, Header.Size), 800 #if (NTDDI_VERSION < NTDDI_WIN7) 801 OFFSET(TiInserted, KTIMER, Header.Inserted), 802 #endif 803 OFFSET(TiSignalState, KTIMER, Header.SignalState), 804 OFFSET(TiDueTime, KTIMER, DueTime), 805 OFFSET(TiTimerListEntry, KTIMER, TimerListEntry), 806 OFFSET(TiDpc, KTIMER, Dpc), 807 OFFSET(TiPeriod, KTIMER, Period), 808 SIZE(TimerObjectLength, KTIMER), 809 810 HEADER("TIME"), 811 OFFSET(TmLowTime, TIME, LowTime), 812 OFFSET(TmHighTime, TIME, HighTime), 813 814 HEADER("SYSTEM_CONTEXT_SWITCH_INFORMATION (relative to FindAny)"), 815 RELOFFSET(TwFindAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindAny, FindAny), 816 RELOFFSET(TwFindIdeal, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindIdeal, FindAny), 817 RELOFFSET(TwFindLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindLast, FindAny), 818 RELOFFSET(TwIdleAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleAny, FindAny), 819 RELOFFSET(TwIdleCurrent, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleCurrent, FindAny), 820 RELOFFSET(TwIdleIdeal, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleIdeal, FindAny), 821 RELOFFSET(TwIdleLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleLast, FindAny), 822 RELOFFSET(TwPreemptAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptAny, FindAny), 823 RELOFFSET(TwPreemptCurrent, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptCurrent, FindAny), 824 RELOFFSET(TwPreemptLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptLast, FindAny), 825 RELOFFSET(TwSwitchToIdle, SYSTEM_CONTEXT_SWITCH_INFORMATION, SwitchToIdle, FindAny), 826 827 HEADER("KUSER_SHARED_DATA"), 828 OFFSET(UsTickCountMultiplier, KUSER_SHARED_DATA, TickCountMultiplier), // 0x4 829 OFFSET(UsInterruptTime, KUSER_SHARED_DATA, InterruptTime), // 0x8 830 OFFSET(UsSystemTime, KUSER_SHARED_DATA, SystemTime), // 0x14 831 OFFSET(UsTimeZoneBias, KUSER_SHARED_DATA, TimeZoneBias), // 0x20 832 OFFSET(UsImageNumberLow, KUSER_SHARED_DATA, ImageNumberLow), 833 OFFSET(UsImageNumberHigh, KUSER_SHARED_DATA, ImageNumberHigh), 834 OFFSET(UsNtSystemRoot, KUSER_SHARED_DATA, NtSystemRoot), 835 OFFSET(UsMaxStackTraceDepth, KUSER_SHARED_DATA, MaxStackTraceDepth), 836 OFFSET(UsCryptoExponent, KUSER_SHARED_DATA, CryptoExponent), 837 OFFSET(UsTimeZoneId, KUSER_SHARED_DATA, TimeZoneId), 838 OFFSET(UsLargePageMinimum, KUSER_SHARED_DATA, LargePageMinimum), 839 //#if (NTDDI_VERSION >= NTDDI_WIN10) 840 //OFFSET(UsNtBuildNumber, KUSER_SHARED_DATA, NtBuildNumber), 841 //#else 842 OFFSET(UsReserved2, KUSER_SHARED_DATA, Reserved2), 843 //#endif 844 OFFSET(UsNtProductType, KUSER_SHARED_DATA, NtProductType), 845 OFFSET(UsProductTypeIsValid, KUSER_SHARED_DATA, ProductTypeIsValid), 846 OFFSET(UsNtMajorVersion, KUSER_SHARED_DATA, NtMajorVersion), 847 OFFSET(UsNtMinorVersion, KUSER_SHARED_DATA, NtMinorVersion), 848 OFFSET(UsProcessorFeatures, KUSER_SHARED_DATA, ProcessorFeatures), 849 OFFSET(UsReserved1, KUSER_SHARED_DATA, Reserved1), 850 OFFSET(UsReserved3, KUSER_SHARED_DATA, Reserved3), 851 OFFSET(UsTimeSlip, KUSER_SHARED_DATA, TimeSlip), 852 OFFSET(UsAlternativeArchitecture, KUSER_SHARED_DATA, AlternativeArchitecture), 853 OFFSET(UsSystemExpirationDate, KUSER_SHARED_DATA, SystemExpirationDate), // not arm 854 OFFSET(UsSuiteMask, KUSER_SHARED_DATA, SuiteMask), 855 OFFSET(UsKdDebuggerEnabled, KUSER_SHARED_DATA, KdDebuggerEnabled), 856 OFFSET(UsActiveConsoleId, KUSER_SHARED_DATA, ActiveConsoleId), 857 OFFSET(UsDismountCount, KUSER_SHARED_DATA, DismountCount), 858 OFFSET(UsComPlusPackage, KUSER_SHARED_DATA, ComPlusPackage), 859 OFFSET(UsLastSystemRITEventTickCount, KUSER_SHARED_DATA, LastSystemRITEventTickCount), 860 OFFSET(UsNumberOfPhysicalPages, KUSER_SHARED_DATA, NumberOfPhysicalPages), 861 OFFSET(UsSafeBootMode, KUSER_SHARED_DATA, SafeBootMode), 862 OFFSET(UsTestRetInstruction, KUSER_SHARED_DATA, TestRetInstruction), 863 OFFSET(UsSystemCall, KUSER_SHARED_DATA, SystemCall), // not in win10 864 OFFSET(UsSystemCallReturn, KUSER_SHARED_DATA, SystemCallReturn), // not in win10 865 OFFSET(UsSystemCallPad, KUSER_SHARED_DATA, SystemCallPad), 866 OFFSET(UsTickCount, KUSER_SHARED_DATA, TickCount), 867 OFFSET(UsTickCountQuad, KUSER_SHARED_DATA, TickCountQuad), 868 OFFSET(UsWow64SharedInformation, KUSER_SHARED_DATA, Wow64SharedInformation), // not in win10 869 //OFFSET(UsXState, KUSER_SHARED_DATA, XState), // win 10 870 871 HEADER("KWAIT_BLOCK offsets"), 872 OFFSET(WbWaitListEntry, KWAIT_BLOCK, WaitListEntry), 873 OFFSET(WbThread, KWAIT_BLOCK, Thread), 874 OFFSET(WbObject, KWAIT_BLOCK, Object), 875 OFFSET(WbNextWaitBlock, KWAIT_BLOCK, NextWaitBlock), // not in win10 876 OFFSET(WbWaitKey, KWAIT_BLOCK, WaitKey), 877 OFFSET(WbWaitType, KWAIT_BLOCK, WaitType), 878 879 880 #if 0 881 //OFFSET(IbCfgBitMap, ????, CfgBitMap), 882 CONSTANT(Win32BatchFlushCallout 0x7 883 884 885 #define CmThreadEnvironmentBlockOffset 0x1000 886 887 ; Process Parameters Block Structure Offset Definitions 888 #define PpFlags 0x8 889 890 891 // Extended context structure offset definitions 892 #define CxxLegacyOffset 0x8 893 #define CxxLegacyLength 0xc 894 #define CxxXStateOffset 0x10 895 #define CxxXStateLength 0x14 896 897 #ifndef _M_ARM 898 ; Bounds Callback Status Code Definitions 899 BoundExceptionContinueSearch equ 00000H 900 BoundExceptionHandled equ 00001H 901 BoundExceptionError equ 00002H 902 #endif 903 904 #ifndef _M_ARM 905 ; Enlightenment structure definitions 906 HeEnlightenments equ 00000H 907 HeHypervisorConnected equ 00004H 908 HeEndOfInterrupt equ 00008H 909 HeApicWriteIcr equ 0000CH 910 HeSpinCountMask equ 00014H 911 HeLongSpinWait equ 00018H 912 #endif 913 914 // KAFFINITY_EX 915 #define AffinityExLength 0xc // not i386 916 917 #endif 918