1 2 3 HEADER("Pointer size"), 4 SIZE(SizeofPointer, PVOID), 5 6 HEADER("Bug Check Codes"), 7 CONSTANT(APC_INDEX_MISMATCH), 8 CONSTANT(INVALID_AFFINITY_SET), 9 CONSTANT(INVALID_DATA_ACCESS_TRAP), 10 CONSTANT(IRQL_NOT_GREATER_OR_EQUAL), 11 CONSTANT(IRQL_NOT_LESS_OR_EQUAL), // 0x0a 12 CONSTANT(NO_USER_MODE_CONTEXT), // 0x0e 13 CONSTANT(SPIN_LOCK_ALREADY_OWNED), // 0x0f 14 CONSTANT(SPIN_LOCK_NOT_OWNED), // 0x10 15 CONSTANT(THREAD_NOT_MUTEX_OWNER), // 0x11 16 CONSTANT(TRAP_CAUSE_UNKNOWN), // 0x12 17 CONSTANT(KMODE_EXCEPTION_NOT_HANDLED), // 0x1e 18 CONSTANT(KERNEL_APC_PENDING_DURING_EXIT), // 0x20 19 CONSTANT(PANIC_STACK_SWITCH), // 0x2b 20 CONSTANT(DATA_BUS_ERROR), // 0x2e 21 CONSTANT(INSTRUCTION_BUS_ERROR), // 0x2f 22 CONSTANT(SYSTEM_EXIT_OWNED_MUTEX), // 0x39 23 //CONSTANT(SYSTEM_UNWIND_PREVIOUS_USER), // 0x3a 24 //CONSTANT(SYSTEM_SERVICE_EXCEPTION), // 0x3b 25 //CONSTANT(INTERRUPT_UNWIND_ATTEMPTED), // 0x3c 26 //CONSTANT(INTERRUPT_EXCEPTION_NOT_HANDLED), // 0x3d 27 CONSTANT(PAGE_FAULT_WITH_INTERRUPTS_OFF), // 0x49 28 CONSTANT(IRQL_GT_ZERO_AT_SYSTEM_SERVICE), // 0x4a 29 CONSTANT(DATA_COHERENCY_EXCEPTION), // 0x55 30 CONSTANT(INSTRUCTION_COHERENCY_EXCEPTION), // 0x56 31 CONSTANT(HAL1_INITIALIZATION_FAILED), // 0x61 32 CONSTANT(UNEXPECTED_KERNEL_MODE_TRAP), // 0x7f 33 CONSTANT(NMI_HARDWARE_FAILURE), // 0x80 34 CONSTANT(SPIN_LOCK_INIT_FAILURE), // 0x81 35 CONSTANT(ATTEMPTED_SWITCH_FROM_DPC), // 0xb8 36 //CONSTANT(MUTEX_ALREADY_OWNED), // 0xbf 37 //CONSTANT(HARDWARE_INTERRUPT_STORM), // 0xf2 38 //CONSTANT(RECURSIVE_MACHINE_CHECK), // 0xfb 39 //CONSTANT(RECURSIVE_NMI), // 0x111 40 CONSTANT(KERNEL_SECURITY_CHECK_FAILURE), // 0x139 41 //CONSTANT(UNSUPPORTED_INSTRUCTION_MODE), // 0x151 42 //CONSTANT(BUGCHECK_CONTEXT_MODIFIER), // 0x80000000 43 //CONSTANT(INVALID_CALLBACK_STACK_ADDRESS), 44 //CONSTANT(INVALID_KERNEL_STACK_ADDRESS), 45 46 HEADER("Breakpoints"), 47 CONSTANT(BREAKPOINT_BREAK), 48 CONSTANT(BREAKPOINT_PRINT), 49 CONSTANT(BREAKPOINT_PROMPT), 50 CONSTANT(BREAKPOINT_LOAD_SYMBOLS), 51 CONSTANT(BREAKPOINT_UNLOAD_SYMBOLS), 52 CONSTANT(BREAKPOINT_COMMAND_STRING), 53 54 HEADER("Context Frame Flags"), 55 CONSTANT(CONTEXT_FULL), 56 CONSTANT(CONTEXT_CONTROL), 57 CONSTANT(CONTEXT_INTEGER), 58 CONSTANT(CONTEXT_FLOATING_POINT), 59 CONSTANT(CONTEXT_DEBUG_REGISTERS), 60 #if defined(_M_IX86) || defined(_M_AMD64) 61 CONSTANT(CONTEXT_SEGMENTS), 62 #endif 63 64 HEADER("Exception flags"), 65 CONSTANT(EXCEPTION_NONCONTINUABLE), 66 CONSTANT(EXCEPTION_UNWINDING), 67 CONSTANT(EXCEPTION_EXIT_UNWIND), 68 CONSTANT(EXCEPTION_STACK_INVALID), 69 CONSTANT(EXCEPTION_NESTED_CALL), 70 CONSTANT(EXCEPTION_TARGET_UNWIND), 71 CONSTANT(EXCEPTION_COLLIDED_UNWIND), 72 CONSTANT(EXCEPTION_UNWIND), 73 CONSTANT(EXCEPTION_EXECUTE_HANDLER), 74 CONSTANT(EXCEPTION_CONTINUE_SEARCH), 75 CONSTANT(EXCEPTION_CONTINUE_EXECUTION), 76 #ifdef _X86_ 77 CONSTANT(EXCEPTION_CHAIN_END), 78 //CONSTANT(FIXED_NTVDMSTATE_LINEAR), /// FIXME ??? 79 #endif 80 81 HEADER("Exception types"), 82 CONSTANT(ExceptionContinueExecution), 83 CONSTANT(ExceptionContinueSearch), 84 CONSTANT(ExceptionNestedException), 85 CONSTANT(ExceptionCollidedUnwind), 86 87 HEADER("Fast Fail Constants"), 88 CONSTANT(FAST_FAIL_GUARD_ICALL_CHECK_FAILURE), 89 //CONSTANT(FAST_FAIL_INVALID_BUFFER_ACCESS), 90 #ifdef _M_ASM64 91 CONSTANT(FAST_FAIL_INVALID_JUMP_BUFFER), 92 CONSTANT(FAST_FAIL_INVALID_SET_OF_CONTEXT), 93 #endif // _M_ASM64 94 //CONSTANT(FAST_FAIL_INVALID_NEXT_THREAD), 95 //CONSTANT(FAST_FAIL_INVALID_CONTROL_STACK), 96 //CONSTANT(FAST_FAIL_SET_CONTEXT_DENIED), 97 //CONSTANT(FAST_FAIL_ENCLAVE_CALL_FAILURE), 98 //CONSTANT(FAST_FAIL_GUARD_SS_FAILURE), 99 100 HEADER("Interrupt object types"), 101 CONSTANTX(InLevelSensitive, LevelSensitive), 102 CONSTANTX(InLatched, Latched), 103 104 HEADER("IPI"), 105 #ifndef _M_AMD64 106 CONSTANT(IPI_APC), 107 CONSTANT(IPI_DPC), 108 CONSTANT(IPI_FREEZE), 109 CONSTANT(IPI_PACKET_READY), 110 #endif // _M_AMD64 111 #ifdef _M_IX86 112 CONSTANT(IPI_SYNCH_REQUEST), 113 #endif // _M_IX86 114 115 HEADER("IRQL"), 116 CONSTANT(PASSIVE_LEVEL), 117 CONSTANT(APC_LEVEL), 118 CONSTANT(DISPATCH_LEVEL), 119 #ifdef _M_AMD64 120 CONSTANT(CLOCK_LEVEL), 121 #elif defined(_M_IX86) 122 CONSTANT(CLOCK1_LEVEL), 123 CONSTANT(CLOCK2_LEVEL), 124 #endif 125 CONSTANT(IPI_LEVEL), 126 CONSTANT(POWER_LEVEL), 127 CONSTANT(PROFILE_LEVEL), 128 CONSTANT(HIGH_LEVEL), 129 130 RAW("#ifndef CONFIG_SMP"), 131 CONSTANTX(SYNCH_LEVEL, DISPATCH_LEVEL), 132 RAW("#else"), 133 #if defined(_M_IX86) && (NTDDI_VERSION < NTDDI_WS03) 134 CONSTANTX(SYNCH_LEVEL, (IPI_LEVEL - 1)), 135 #else 136 CONSTANTX(SYNCH_LEVEL, (IPI_LEVEL - 2)), 137 #endif 138 RAW("#endif"), 139 140 #if (NTDDI_VERSION >= NTDDI_WIN8) 141 HEADER("Entropy Timing Constants"), 142 CONSTANT(KENTROPY_TIMING_INTERRUPTS_PER_BUFFER), 143 CONSTANT(KENTROPY_TIMING_BUFFER_MASK), 144 CONSTANT(KENTROPY_TIMING_ANALYSIS), 145 #endif 146 147 HEADER("Lock Queue"), 148 CONSTANT(LOCK_QUEUE_WAIT), 149 CONSTANT(LOCK_QUEUE_OWNER), 150 CONSTANT(LockQueueDispatcherLock), /// FIXE: obsolete 151 152 //HEADER("Performance Definitions"), 153 //CONSTANT(PERF_CONTEXTSWAP_OFFSET), 154 //CONSTANT(PERF_CONTEXTSWAP_FLAG), 155 //CONSTANT(PERF_INTERRUPT_OFFSET), 156 //CONSTANT(PERF_INTERRUPT_FLAG), 157 //CONSTANT(PERF_SYSCALL_OFFSET), 158 //CONSTANT(PERF_SYSCALL_FLAG), 159 #ifndef _M_ARM 160 //CONSTANT(PERF_PROFILE_OFFSET), /// FIXE: obsolete 161 //CONSTANT(PERF_PROFILE_FLAG), /// FIXE: obsolete 162 //CONSTANT(PERF_SPINLOCK_OFFSET), /// FIXE: obsolete 163 //CONSTANT(PERF_SPINLOCK_FLAG), /// FIXE: obsolete 164 #endif 165 #ifdef _M_IX86 166 //CONSTANT(PERF_IPI_OFFSET), // 00008H 167 //CONSTANT(PERF_IPI_FLAG), // 0400000H 168 //CONSTANT(PERF_IPI), // 040400000H 169 #endif 170 //CONSTANT(PERF_INTERRUPT), // 020004000H//CONSTANT(NTOS_YIELD_MACRO), 171 172 HEADER("Process states"), 173 CONSTANT(ProcessInMemory), 174 CONSTANT(ProcessOutOfMemory), 175 CONSTANT(ProcessInTransition), 176 177 HEADER("Processor mode"), 178 CONSTANT(KernelMode), 179 CONSTANT(UserMode), 180 181 HEADER("Service Table Constants"), 182 CONSTANT(NUMBER_SERVICE_TABLES), 183 CONSTANT(SERVICE_NUMBER_MASK), 184 CONSTANT(SERVICE_TABLE_SHIFT), 185 CONSTANT(SERVICE_TABLE_MASK), 186 CONSTANT(SERVICE_TABLE_TEST), 187 188 HEADER("Status codes"), 189 CONSTANT(STATUS_ACCESS_VIOLATION), 190 CONSTANT(STATUS_ASSERTION_FAILURE), 191 CONSTANT(STATUS_ARRAY_BOUNDS_EXCEEDED), 192 CONSTANT(STATUS_BAD_COMPRESSION_BUFFER), 193 CONSTANT(STATUS_BREAKPOINT), 194 CONSTANT(STATUS_CALLBACK_POP_STACK), 195 CONSTANT(STATUS_DATATYPE_MISALIGNMENT), 196 CONSTANT(STATUS_FLOAT_DENORMAL_OPERAND), 197 CONSTANT(STATUS_FLOAT_DIVIDE_BY_ZERO), 198 CONSTANT(STATUS_FLOAT_INEXACT_RESULT), 199 CONSTANT(STATUS_FLOAT_INVALID_OPERATION), 200 CONSTANT(STATUS_FLOAT_OVERFLOW), 201 CONSTANT(STATUS_FLOAT_STACK_CHECK), 202 CONSTANT(STATUS_FLOAT_UNDERFLOW), 203 CONSTANT(STATUS_FLOAT_MULTIPLE_FAULTS), 204 CONSTANT(STATUS_FLOAT_MULTIPLE_TRAPS), 205 CONSTANT(STATUS_GUARD_PAGE_VIOLATION), 206 CONSTANT(STATUS_ILLEGAL_FLOAT_CONTEXT), 207 CONSTANT(STATUS_ILLEGAL_INSTRUCTION), 208 CONSTANT(STATUS_INSTRUCTION_MISALIGNMENT), 209 CONSTANT(STATUS_INVALID_HANDLE), 210 CONSTANT(STATUS_INVALID_LOCK_SEQUENCE), 211 CONSTANT(STATUS_INVALID_OWNER), 212 CONSTANT(STATUS_INVALID_PARAMETER), 213 CONSTANT(STATUS_INVALID_PARAMETER_1), 214 CONSTANT(STATUS_INVALID_SYSTEM_SERVICE), 215 //CONSTANT(STATUS_INVALID_THREAD), 216 CONSTANT(STATUS_INTEGER_DIVIDE_BY_ZERO), 217 CONSTANT(STATUS_INTEGER_OVERFLOW), 218 CONSTANT(STATUS_IN_PAGE_ERROR), 219 CONSTANT(STATUS_KERNEL_APC), 220 CONSTANT(STATUS_LONGJUMP), 221 CONSTANT(STATUS_NO_CALLBACK_ACTIVE), 222 #ifndef _M_ARM 223 CONSTANT(STATUS_NO_EVENT_PAIR), /// FIXME: obsolete 224 #endif 225 CONSTANT(STATUS_PRIVILEGED_INSTRUCTION), 226 CONSTANT(STATUS_SINGLE_STEP), 227 CONSTANT(STATUS_STACK_BUFFER_OVERRUN), 228 CONSTANT(STATUS_STACK_OVERFLOW), 229 CONSTANT(STATUS_SUCCESS), 230 CONSTANT(STATUS_THREAD_IS_TERMINATING), 231 CONSTANT(STATUS_TIMEOUT), 232 CONSTANT(STATUS_UNWIND), 233 CONSTANT(STATUS_UNWIND_CONSOLIDATE), 234 CONSTANT(STATUS_USER_APC), 235 CONSTANT(STATUS_WAKE_SYSTEM), 236 CONSTANT(STATUS_WAKE_SYSTEM_DEBUGGER), 237 //CONSTANT(STATUS_SET_CONTEXT_DENIED), 238 239 //HEADER("Thread flags"), 240 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING), 241 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING_LOCK_BIT), 242 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING_LOCK), 243 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING), 244 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING_LOCK_BIT), 245 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING_LOCK), 246 //CONSTANT(THREAD_FLAGS_CPU_THROTTLED), /// FIXME: obsolete 247 //CONSTANT(THREAD_FLAGS_CPU_THROTTLED_BIT), /// FIXME: obsolete 248 //CONSTANT(THREAD_FLAGS_ACCOUNTING_CSWITCH), 249 //CONSTANT(THREAD_FLAGS_ACCOUNTING_INTERRUPT), 250 //CONSTANT(THREAD_FLAGS_ACCOUNTING_ANY), 251 //CONSTANT(THREAD_FLAGS_GROUP_SCHEDULING), 252 //CONSTANT(THREAD_FLAGS_AFFINITY_SET), 253 #ifdef _M_IX86 254 //CONSTANT(THREAD_FLAGS_INSTRUMENTED), // 0x0040 255 //CONSTANT(THREAD_FLAGS_INSTRUMENTED_PROFILING), // 0x0041 256 #endif // _M_IX86 257 258 HEADER("TLS defines"), 259 CONSTANT(TLS_MINIMUM_AVAILABLE), 260 CONSTANT(TLS_EXPANSION_SLOTS), 261 262 HEADER("Thread states"), 263 CONSTANT(Initialized), 264 CONSTANT(Ready), 265 CONSTANT(Running), 266 CONSTANT(Standby), 267 CONSTANT(Terminated), 268 CONSTANT(Waiting), 269 #ifdef _M_ARM 270 CONSTANT(Transition), 271 CONSTANT(DeferredReady), 272 //CONSTANT(GateWaitObsolete), 273 #endif // _M_ARM 274 275 HEADER("Wait type / reason"), 276 CONSTANT(WrExecutive), 277 CONSTANT(WrMutex), /// FIXME: Obsolete 278 CONSTANT(WrDispatchInt), 279 CONSTANT(WrQuantumEnd), /// FIXME: Obsolete 280 CONSTANT(WrEventPair), /// FIXME: Obsolete 281 CONSTANT(WaitAny), 282 CONSTANT(WaitAll), 283 284 HEADER("Stack sizes"), 285 CONSTANT(KERNEL_STACK_SIZE), /// FIXME: Obsolete 286 CONSTANT(KERNEL_LARGE_STACK_SIZE), 287 CONSTANT(KERNEL_LARGE_STACK_COMMIT), 288 //CONSTANT(DOUBLE_FAULT_STACK_SIZE), 289 #ifdef _M_AMD64 290 CONSTANT(KERNEL_MCA_EXCEPTION_STACK_SIZE), 291 CONSTANT(NMI_STACK_SIZE), 292 CONSTANT(ISR_STACK_SIZE), 293 #endif 294 295 //CONSTANT(KTHREAD_AUTO_ALIGNMENT_BIT), 296 //CONSTANT(KTHREAD_GUI_THREAD_MASK), 297 //CONSTANT(KTHREAD_SYSTEM_THREAD_BIT), 298 //CONSTANT(KTHREAD_QUEUE_DEFER_PREEMPTION_BIT), 299 //CONSTANT(KTHREAD_RESTRICTED_GUI_THREAD_MASK), 300 //CONSTANT(KTHREAD_BAM_QOS_LEVEL_MASK), 301 302 HEADER("Miscellaneous Definitions"), 303 CONSTANT(TRUE), 304 CONSTANT(FALSE), 305 CONSTANT(PAGE_SIZE), 306 CONSTANT(Executive), 307 //CONSTANT(BASE_PRIORITY_THRESHOLD), 308 //CONSTANT(EVENT_PAIR_INCREMENT), /// FIXME: obsolete 309 CONSTANT(LOW_REALTIME_PRIORITY), 310 CONSTANT(CLOCK_QUANTUM_DECREMENT), 311 //CONSTANT(READY_SKIP_QUANTUM), 312 //CONSTANT(THREAD_QUANTUM), 313 CONSTANT(WAIT_QUANTUM_DECREMENT), 314 //CONSTANT(ROUND_TRIP_DECREMENT_COUNT), 315 CONSTANT(MAXIMUM_PROCESSORS), 316 CONSTANT(INITIAL_STALL_COUNT), 317 //CONSTANT(EXCEPTION_EXECUTE_FAULT), // amd64 318 //CONSTANT(KCACHE_ERRATA_MONITOR_FLAGS), // not arm 319 //CONSTANT(KI_DPC_ALL_FLAGS), 320 //CONSTANT(KI_DPC_ANY_DPC_ACTIVE), 321 //CONSTANT(KI_DPC_INTERRUPT_FLAGS), // 0x2f arm and x64 322 //CONSTANT(KI_EXCEPTION_GP_FAULT), // not i386 323 //CONSTANT(KI_EXCEPTION_INVALID_OP), // not i386 324 //CONSTANT(KI_EXCEPTION_INTEGER_DIVIDE_BY_ZERO), // amd64 325 CONSTANT(KI_EXCEPTION_ACCESS_VIOLATION), 326 //CONSTANT(KI_EXCEPTION_SECURE_FAULT), 327 //CONSTANT(KI_EXCEPTION_SEGMENT_NOT_PRESENT), 328 //CONSTANT(KINTERRUPT_STATE_DISABLED_BIT), 329 //CONSTANT(KINTERRUPT_STATE_DISABLED), 330 //CONSTANT(TARGET_FREEZE), // amd64 331 //CONSTANT(BlackHole), // FIXME: obsolete 332 CONSTANT(DBG_STATUS_CONTROL_C), 333 //CONSTANTPTR(USER_SHARED_DATA), // FIXME: we need the kernel mode address here! 334 //CONSTANT(MM_SHARED_USER_DATA_VA), 335 //CONSTANT(KERNEL_STACK_CONTROL_LARGE_STACK), // FIXME: obsolete 336 //CONSTANT(DISPATCH_LENGTH), // FIXME: obsolete 337 //CONSTANT(KI_SLIST_FAULT_COUNT_MAXIMUM), // i386 338 //CONSTANTUSER_CALLBACK_FILTER), 339 340 #if !defined(_M_ARM) && !defined(_M_ARM64) 341 CONSTANT(MAXIMUM_IDTVECTOR), 342 //CONSTANT(MAXIMUM_PRIMARY_VECTOR), 343 CONSTANT(PRIMARY_VECTOR_BASE), 344 CONSTANT(RPL_MASK), 345 CONSTANT(MODE_MASK), 346 //MODE_BIT equ 00000H amd64 347 //LDT_MASK equ 00004H amd64 348 #endif 349 350 351 /* STRUCTURE OFFSETS *********************************************************/ 352 353 //HEADER("KAFFINITY_EX"), 354 //OFFSET(AfCount, KAFFINITY_EX, Count), 355 //OFFSET(AfBitmap, KAFFINITY_EX, Bitmap), 356 //SIZE(AffinityExLength, KAFFINITY_EX), 357 358 //HEADER("Aligned Affinity"), 359 //OFFSET(AfsCpuSet, ???, CpuSet), // FIXME: obsolete 360 361 HEADER("KAPC"), 362 OFFSET(ApType, KAPC, Type), 363 OFFSET(ApSize, KAPC, Size), 364 OFFSET(ApThread, KAPC, Thread), 365 OFFSET(ApApcListEntry, KAPC, ApcListEntry), 366 OFFSET(ApKernelRoutine, KAPC, KernelRoutine), 367 OFFSET(ApRundownRoutine, KAPC, RundownRoutine), 368 OFFSET(ApNormalRoutine, KAPC, NormalRoutine), 369 OFFSET(ApNormalContext, KAPC, NormalContext), 370 OFFSET(ApSystemArgument1, KAPC, SystemArgument1), 371 OFFSET(ApSystemArgument2, KAPC, SystemArgument2), 372 OFFSET(ApApcStateIndex, KAPC, ApcStateIndex), 373 OFFSET(ApApcMode, KAPC, ApcMode), 374 OFFSET(ApInserted, KAPC, Inserted), 375 SIZE(ApcObjectLength, KAPC), 376 377 HEADER("KAPC offsets (relative to NormalRoutine)"), 378 RELOFFSET(ArNormalRoutine, KAPC, NormalRoutine, NormalRoutine), 379 RELOFFSET(ArNormalContext, KAPC, NormalContext, NormalRoutine), 380 RELOFFSET(ArSystemArgument1, KAPC, SystemArgument1, NormalRoutine), 381 RELOFFSET(ArSystemArgument2, KAPC, SystemArgument2, NormalRoutine), 382 CONSTANTX(ApcRecordLength, 4 * sizeof(PVOID)), 383 384 HEADER("KAPC_STATE"), 385 OFFSET(AsApcListHead, KAPC_STATE, ApcListHead), 386 OFFSET(AsProcess, KAPC_STATE, Process), 387 OFFSET(AsKernelApcInProgress, KAPC_STATE, KernelApcInProgress), // FIXME: obsolete 388 OFFSET(AsKernelApcPending, KAPC_STATE, KernelApcPending), 389 OFFSET(AsUserApcPending, KAPC_STATE, UserApcPending), 390 391 HEADER("CLIENT_ID"), 392 OFFSET(CidUniqueProcess, CLIENT_ID, UniqueProcess), 393 OFFSET(CidUniqueThread, CLIENT_ID, UniqueThread), 394 395 HEADER("RTL_CRITICAL_SECTION"), // No longer in Win 10 amd64 396 OFFSET(CsDebugInfo, RTL_CRITICAL_SECTION, DebugInfo), 397 OFFSET(CsLockCount, RTL_CRITICAL_SECTION, LockCount), 398 OFFSET(CsRecursionCount, RTL_CRITICAL_SECTION, RecursionCount), 399 OFFSET(CsOwningThread, RTL_CRITICAL_SECTION, OwningThread), 400 OFFSET(CsLockSemaphore, RTL_CRITICAL_SECTION, LockSemaphore), 401 OFFSET(CsSpinCount, RTL_CRITICAL_SECTION, SpinCount), 402 403 HEADER("RTL_CRITICAL_SECTION_DEBUG"), // No longer in Win 10 amd64 404 OFFSET(CsType, RTL_CRITICAL_SECTION_DEBUG, Type), 405 OFFSET(CsCreatorBackTraceIndex, RTL_CRITICAL_SECTION_DEBUG, CreatorBackTraceIndex), 406 OFFSET(CsCriticalSection, RTL_CRITICAL_SECTION_DEBUG, CriticalSection), 407 OFFSET(CsProcessLocksList, RTL_CRITICAL_SECTION_DEBUG, ProcessLocksList), 408 OFFSET(CsEntryCount, RTL_CRITICAL_SECTION_DEBUG, EntryCount), 409 OFFSET(CsContentionCount, RTL_CRITICAL_SECTION_DEBUG, ContentionCount), 410 411 HEADER("KDEVICE_QUEUE_ENTRY"), 412 OFFSET(DeDeviceListEntry, KDEVICE_QUEUE_ENTRY, DeviceListEntry), 413 OFFSET(DeSortKey, KDEVICE_QUEUE_ENTRY, SortKey), 414 OFFSET(DeInserted, KDEVICE_QUEUE_ENTRY, Inserted), 415 SIZE(DeviceQueueEntryLength, KDEVICE_QUEUE_ENTRY), 416 417 HEADER("KDPC"), 418 OFFSET(DpType, KDPC, Type), 419 OFFSET(DpImportance, KDPC, Importance), 420 OFFSET(DpNumber, KDPC, Number), 421 OFFSET(DpDpcListEntry, KDPC, DpcListEntry), 422 OFFSET(DpDeferredRoutine, KDPC, DeferredRoutine), 423 OFFSET(DpDeferredContext, KDPC, DeferredContext), 424 OFFSET(DpSystemArgument1, KDPC, SystemArgument1), 425 OFFSET(DpSystemArgument2, KDPC, SystemArgument2), 426 OFFSET(DpDpcData, KDPC, DpcData), 427 SIZE(DpcObjectLength, KDPC), 428 429 HEADER("KDEVICE_QUEUE"), 430 OFFSET(DvType, KDEVICE_QUEUE, Type), 431 OFFSET(DvSize, KDEVICE_QUEUE, Size), 432 OFFSET(DvDeviceListHead, KDEVICE_QUEUE, DeviceListHead), 433 OFFSET(DvSpinLock, KDEVICE_QUEUE, Lock), 434 OFFSET(DvBusy, KDEVICE_QUEUE, Busy), 435 SIZE(DeviceQueueObjectLength, KDEVICE_QUEUE), 436 437 HEADER("EXCEPTION_RECORD"), 438 OFFSET(ErExceptionCode, EXCEPTION_RECORD, ExceptionCode), 439 OFFSET(ErExceptionFlags, EXCEPTION_RECORD, ExceptionFlags), 440 OFFSET(ErExceptionRecord, EXCEPTION_RECORD, ExceptionRecord), 441 OFFSET(ErExceptionAddress, EXCEPTION_RECORD, ExceptionAddress), 442 OFFSET(ErNumberParameters, EXCEPTION_RECORD, NumberParameters), 443 OFFSET(ErExceptionInformation, EXCEPTION_RECORD, ExceptionInformation), 444 SIZE(ExceptionRecordLength, EXCEPTION_RECORD), 445 SIZE(EXCEPTION_RECORD_LENGTH, EXCEPTION_RECORD), // not 1386 446 447 HEADER("EPROCESS"), 448 OFFSET(EpDebugPort, EPROCESS, DebugPort), 449 #if defined(_M_IX86) 450 OFFSET(EpVdmObjects, EPROCESS, VdmObjects), 451 #elif defined(_M_AMD64) 452 OFFSET(EpWow64Process, EPROCESS, Wow64Process), 453 #endif 454 SIZE(ExecutiveProcessObjectLength, EPROCESS), 455 456 HEADER("ETHREAD offsets"), 457 OFFSET(EtCid, ETHREAD, Cid), // 0x364 458 //OFFSET(EtPicoContext, ETHREAD, PicoContext), 459 SIZE(ExecutiveThreadObjectLength, ETHREAD), // 0x418 460 461 HEADER("KEVENT"), 462 OFFSET(EvType, KEVENT, Header.Type), 463 OFFSET(EvSize, KEVENT, Header.Size), 464 OFFSET(EvSignalState, KEVENT, Header.SignalState), 465 OFFSET(EvWaitListHead, KEVENT, Header.WaitListHead), 466 SIZE(EventObjectLength, KEVENT), 467 468 HEADER("FIBER"), 469 OFFSET(FbFiberData, FIBER, FiberData), 470 OFFSET(FbExceptionList, FIBER, ExceptionList), 471 OFFSET(FbStackBase, FIBER, StackBase), 472 OFFSET(FbStackLimit, FIBER, StackLimit), 473 OFFSET(FbDeallocationStack, FIBER, DeallocationStack), 474 OFFSET(FbFiberContext, FIBER, FiberContext), 475 //OFFSET(FbWx86Tib, FIBER, Wx86Tib), 476 //OFFSET(FbActivationContextStackPointer, FIBER, ActivationContextStackPointer), 477 OFFSET(FbFlsData, FIBER, FlsData), 478 OFFSET(FbGuaranteedStackBytes, FIBER, GuaranteedStackBytes), 479 //OFFSET(FbTebFlags, FIBER, TebFlags), 480 481 HEADER("FAST_MUTEX"), 482 OFFSET(FmCount, FAST_MUTEX, Count), 483 OFFSET(FmOwner, FAST_MUTEX, Owner), 484 OFFSET(FmContention, FAST_MUTEX, Contention), 485 //OFFSET(FmGate, FAST_MUTEX, Gate), // obsolete 486 OFFSET(FmOldIrql, FAST_MUTEX, OldIrql), 487 488 #ifndef _M_ARM 489 HEADER("GETSETCONTEXT offsets"), // GET_SET_CTX_CONTEXT 490 OFFSET(GetSetCtxContextPtr, GETSETCONTEXT, Context), 491 #endif // _M_ARM 492 493 HEADER("KINTERRUPT"), 494 OFFSET(InType, KINTERRUPT, Type), 495 OFFSET(InSize, KINTERRUPT, Size), 496 OFFSET(InInterruptListEntry, KINTERRUPT, InterruptListEntry), 497 OFFSET(InServiceRoutine, KINTERRUPT, ServiceRoutine), 498 OFFSET(InServiceContext, KINTERRUPT, ServiceContext), 499 OFFSET(InSpinLock, KINTERRUPT, SpinLock), 500 OFFSET(InTickCount, KINTERRUPT, TickCount), 501 OFFSET(InActualLock, KINTERRUPT, ActualLock), 502 OFFSET(InDispatchAddress, KINTERRUPT, DispatchAddress), 503 OFFSET(InVector, KINTERRUPT, Vector), 504 OFFSET(InIrql, KINTERRUPT, Irql), 505 OFFSET(InSynchronizeIrql, KINTERRUPT, SynchronizeIrql), 506 OFFSET(InFloatingSave, KINTERRUPT, FloatingSave), 507 OFFSET(InConnected, KINTERRUPT, Connected), 508 OFFSET(InNumber, KINTERRUPT, Number), 509 OFFSET(InShareVector, KINTERRUPT, ShareVector), 510 //OFFSET(InInternalState, KINTERRUPT, InternalState), 511 OFFSET(InMode, KINTERRUPT, Mode), 512 OFFSET(InServiceCount, KINTERRUPT, ServiceCount), 513 OFFSET(InDispatchCount, KINTERRUPT, DispatchCount), 514 //OFFSET(InTrapFrame, KINTERRUPT, TrapFrame), // amd64 515 OFFSET(InDispatchCode, KINTERRUPT, DispatchCode), // obsolete 516 SIZE(InterruptObjectLength, KINTERRUPT), 517 518 #ifdef _M_AMD64 519 HEADER("IO_STATUS_BLOCK"), 520 OFFSET(IoStatus, IO_STATUS_BLOCK, Status), 521 OFFSET(IoPointer, IO_STATUS_BLOCK, Pointer), 522 OFFSET(IoInformation, IO_STATUS_BLOCK, Information), 523 #endif /* _M_AMD64 */ 524 525 #if (NTDDI_VERSION >= NTDDI_WIN8) 526 HEADER("KSTACK_CONTROL"), 527 OFFSET(KcCurrentBase, KSTACK_CONTROL, StackBase), 528 OFFSET(KcActualLimit, KSTACK_CONTROL, ActualLimit), 529 OFFSET(KcPreviousBase, KSTACK_CONTROL, Previous.StackBase), 530 OFFSET(KcPreviousLimit, KSTACK_CONTROL, Previous.StackLimit), 531 OFFSET(KcPreviousKernel, KSTACK_CONTROL, Previous.KernelStack), 532 OFFSET(KcPreviousInitial, KSTACK_CONTROL, Previous.InitialStack), 533 #ifdef _IX86 534 OFFSET(KcTrapFrame, KSTACK_CONTROL, PreviousTrapFrame), 535 OFFSET(KcExceptionList, KSTACK_CONTROL, PreviousExceptionList), 536 #endif // _IX86 537 SIZE(KSTACK_CONTROL_LENGTH, KSTACK_CONTROL), 538 CONSTANT(KSTACK_ACTUAL_LIMIT_EXPANDED), // move somewhere else? 539 #else 540 //HEADER("KERNEL_STACK_CONTROL"), // obsolete 541 #endif 542 543 #if 0 // no longer in win 10, different struct 544 HEADER("KNODE"), 545 //OFFSET(KnRight, KNODE, Right), 546 //OFFSET(KnLeft, KNODE, Left), 547 OFFSET(KnPfnDereferenceSListHead, KNODE, PfnDereferenceSListHead), 548 OFFSET(KnProcessorMask, KNODE, ProcessorMask), 549 OFFSET(KnColor, KNODE, Color), 550 OFFSET(KnSeed, KNODE, Seed), 551 OFFSET(KnNodeNumber, KNODE, NodeNumber), 552 OFFSET(KnFlags, KNODE, Flags), 553 OFFSET(KnMmShiftedColor, KNODE, MmShiftedColor), 554 OFFSET(KnFreeCount, KNODE, FreeCount), 555 OFFSET(KnPfnDeferredList, KNODE, PfnDeferredList), 556 SIZE(KNODE_SIZE, KNODE), 557 #endif 558 559 HEADER("KSPIN_LOCK_QUEUE"), 560 OFFSET(LqNext, KSPIN_LOCK_QUEUE, Next), 561 OFFSET(LqLock, KSPIN_LOCK_QUEUE, Lock), 562 SIZE(LOCK_QUEUE_HEADER_SIZE, KSPIN_LOCK_QUEUE), 563 564 HEADER("KLOCK_QUEUE_HANDLE"), 565 OFFSET(LqhLockQueue, KLOCK_QUEUE_HANDLE, LockQueue), 566 OFFSET(LqhNext, KLOCK_QUEUE_HANDLE, LockQueue.Next), 567 OFFSET(LqhLock, KLOCK_QUEUE_HANDLE, LockQueue.Lock), 568 OFFSET(LqhOldIrql, KLOCK_QUEUE_HANDLE, OldIrql), 569 570 HEADER("LARGE_INTEGER"), 571 OFFSET(LiLowPart, LARGE_INTEGER, LowPart), 572 OFFSET(LiHighPart, LARGE_INTEGER, HighPart), 573 574 HEADER("LOADER_PARAMETER_BLOCK (rel. to LoadOrderListHead)"), 575 RELOFFSET(LpbKernelStack, LOADER_PARAMETER_BLOCK, KernelStack, LoadOrderListHead), 576 RELOFFSET(LpbPrcb, LOADER_PARAMETER_BLOCK, Prcb, LoadOrderListHead), 577 RELOFFSET(LpbProcess, LOADER_PARAMETER_BLOCK, Process, LoadOrderListHead), 578 RELOFFSET(LpbThread, LOADER_PARAMETER_BLOCK, Thread, LoadOrderListHead), 579 580 HEADER("LIST_ENTRY"), 581 OFFSET(LsFlink, LIST_ENTRY, Flink), 582 OFFSET(LsBlink, LIST_ENTRY, Blink), 583 584 HEADER("PEB"), 585 OFFSET(PeBeingDebugged, PEB, BeingDebugged), 586 OFFSET(PeProcessParameters, PEB, ProcessParameters), 587 OFFSET(PeKernelCallbackTable, PEB, KernelCallbackTable), 588 SIZE(ProcessEnvironmentBlockLength, PEB), 589 590 HEADER("KPROFILE"), 591 OFFSET(PfType, KPROFILE, Type), 592 OFFSET(PfSize, KPROFILE, Size), 593 OFFSET(PfProfileListEntry, KPROFILE, ProfileListEntry), 594 OFFSET(PfProcess, KPROFILE, Process), 595 OFFSET(PfRangeBase, KPROFILE, RangeBase), 596 OFFSET(PfRangeLimit, KPROFILE, RangeLimit), 597 OFFSET(PfBucketShift, KPROFILE, BucketShift), 598 OFFSET(PfBuffer, KPROFILE, Buffer), 599 OFFSET(PfSegment, KPROFILE, Segment), 600 OFFSET(PfAffinity, KPROFILE, Affinity), 601 OFFSET(PfSource, KPROFILE, Source), 602 OFFSET(PfStarted, KPROFILE, Started), 603 SIZE(ProfileObjectLength, KPROFILE), 604 605 HEADER("PORT_MESSAGE"), // whole thing obsolete in win10 606 OFFSET(PmLength, PORT_MESSAGE, u1.Length), 607 OFFSET(PmZeroInit, PORT_MESSAGE, u2.ZeroInit), 608 OFFSET(PmClientId, PORT_MESSAGE, ClientId), 609 OFFSET(PmProcess, PORT_MESSAGE, ClientId.UniqueProcess), 610 OFFSET(PmThread, PORT_MESSAGE, ClientId.UniqueThread), 611 OFFSET(PmMessageId, PORT_MESSAGE, MessageId), 612 OFFSET(PmClientViewSize, PORT_MESSAGE, ClientViewSize), 613 SIZE(PortMessageLength, PORT_MESSAGE), 614 615 HEADER("KPROCESS"), 616 OFFSET(PrType, KPROCESS, Header.Type), 617 OFFSET(PrSize, KPROCESS, Header.Size), 618 OFFSET(PrSignalState, KPROCESS, Header.SignalState), 619 OFFSET(PrProfileListHead, KPROCESS, ProfileListHead), 620 OFFSET(PrDirectoryTableBase, KPROCESS, DirectoryTableBase), 621 #ifdef _M_ARM 622 //OFFSET(PrPageDirectory, KPROCESS, PageDirectory), 623 #elif defined(_M_IX86) 624 OFFSET(PrLdtDescriptor, KPROCESS, LdtDescriptor), 625 OFFSET(PrInt21Descriptor, KPROCESS, Int21Descriptor), 626 #endif 627 OFFSET(PrThreadListHead, KPROCESS, ThreadListHead), 628 OFFSET(PrAffinity, KPROCESS, Affinity), 629 OFFSET(PrReadyListHead, KPROCESS, ReadyListHead), 630 OFFSET(PrSwapListEntry, KPROCESS, SwapListEntry), 631 OFFSET(PrActiveProcessors, KPROCESS, ActiveProcessors), 632 OFFSET(PrProcessFlags, KPROCESS, ProcessFlags), 633 OFFSET(PrBasePriority, KPROCESS, BasePriority), 634 OFFSET(PrQuantumReset, KPROCESS, QuantumReset), 635 #if defined(_M_IX86) 636 OFFSET(PrIopmOffset, KPROCESS, IopmOffset), 637 #endif 638 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 639 OFFSET(PrCycleTime, KPROCESS, CycleTime), 640 #endif 641 OFFSET(PrKernelTime, KPROCESS, KernelTime), 642 OFFSET(PrUserTime, KPROCESS, UserTime), 643 #if defined(_M_AMD64) || defined(_M_ARM) 644 //OFFSET(PrInstrumentationCallback, KPROCESS, InstrumentationCallback), 645 #elif defined(_M_IX86) 646 OFFSET(PrVdmTrapcHandler, KPROCESS, VdmTrapcHandler), 647 //OFFSET(PrVdmObjects, KPROCESS, VdmObjects), 648 OFFSET(PrFlags, KPROCESS, Flags), 649 #endif 650 SIZE(KernelProcessObjectLength, KPROCESS), 651 652 HEADER("KQUEUE"), 653 OFFSET(QuType, KQUEUE, Header.Type), // not in win10 654 OFFSET(QuSize, KQUEUE, Header.Size), // not in win10 655 OFFSET(QuSignalState, KQUEUE, Header.SignalState), 656 OFFSET(QuEntryListHead, KQUEUE, EntryListHead), 657 OFFSET(QuCurrentCount, KQUEUE, CurrentCount), 658 OFFSET(QuMaximumCount, KQUEUE, MaximumCount), 659 OFFSET(QuThreadListHead, KQUEUE, ThreadListHead), 660 SIZE(QueueObjectLength, KQUEUE), 661 662 HEADER("KSERVICE_TABLE_DESCRIPTOR offsets"), 663 OFFSET(SdBase, KSERVICE_TABLE_DESCRIPTOR, Base), 664 OFFSET(SdCount, KSERVICE_TABLE_DESCRIPTOR, Count), // not in win10 665 OFFSET(SdLimit, KSERVICE_TABLE_DESCRIPTOR, Limit), 666 OFFSET(SdNumber, KSERVICE_TABLE_DESCRIPTOR, Number), 667 SIZE(SdLength, KSERVICE_TABLE_DESCRIPTOR), 668 669 HEADER("STRING"), 670 OFFSET(StrLength, STRING, Length), 671 OFFSET(StrMaximumLength, STRING, MaximumLength), 672 OFFSET(StrBuffer, STRING, Buffer), 673 674 HEADER("TEB"), 675 #if defined(_M_IX86) 676 OFFSET(TeExceptionList, TEB, NtTib.ExceptionList), 677 #elif defined(_M_AMD64) 678 OFFSET(TeCmTeb, TEB, NtTib), 679 #endif 680 OFFSET(TeStackBase, TEB, NtTib.StackBase), 681 OFFSET(TeStackLimit, TEB, NtTib.StackLimit), 682 OFFSET(TeFiberData, TEB, NtTib.FiberData), 683 OFFSET(TeSelf, TEB, NtTib.Self), 684 OFFSET(TeEnvironmentPointer, TEB, EnvironmentPointer), 685 OFFSET(TeClientId, TEB, ClientId), 686 OFFSET(TeActiveRpcHandle, TEB, ActiveRpcHandle), 687 OFFSET(TeThreadLocalStoragePointer, TEB, ThreadLocalStoragePointer), 688 OFFSET(TePeb, TEB, ProcessEnvironmentBlock), 689 OFFSET(TeLastErrorValue, TEB, LastErrorValue), 690 OFFSET(TeCountOfOwnedCriticalSections, TEB, CountOfOwnedCriticalSections), 691 OFFSET(TeCsrClientThread, TEB, CsrClientThread), 692 OFFSET(TeWOW32Reserved, TEB, WOW32Reserved), 693 //OFFSET(TeSoftFpcr, TEB, SoftFpcr), 694 OFFSET(TeExceptionCode, TEB, ExceptionCode), 695 OFFSET(TeActivationContextStackPointer, TEB, ActivationContextStackPointer), 696 //#if (NTDDI_VERSION >= NTDDI_WIN10) 697 //OFFSET(TeInstrumentationCallbackSp, TEB, InstrumentationCallbackSp), 698 //OFFSET(TeInstrumentationCallbackPreviousPc, TEB, InstrumentationCallbackPreviousPc), 699 //OFFSET(TeInstrumentationCallbackPreviousSp, TEB, InstrumentationCallbackPreviousSp), 700 //#endif 701 OFFSET(TeGdiClientPID, TEB, GdiClientPID), 702 OFFSET(TeGdiClientTID, TEB, GdiClientTID), 703 OFFSET(TeGdiThreadLocalInfo, TEB, GdiThreadLocalInfo), 704 OFFSET(TeglDispatchTable, TEB, glDispatchTable), 705 OFFSET(TeglReserved1, TEB, glReserved1), 706 OFFSET(TeglReserved2, TEB, glReserved2), 707 OFFSET(TeglSectionInfo, TEB, glSectionInfo), 708 OFFSET(TeglSection, TEB, glSection), 709 OFFSET(TeglTable, TEB, glTable), 710 OFFSET(TeglCurrentRC, TEB, glCurrentRC), 711 OFFSET(TeglContext, TEB, glContext), 712 OFFSET(TeDeallocationStack, TEB, DeallocationStack), 713 OFFSET(TeTlsSlots, TEB, TlsSlots), 714 OFFSET(TeVdm, TEB, Vdm), 715 OFFSET(TeInstrumentation, TEB, Instrumentation), 716 OFFSET(TeGdiBatchCount, TEB, GdiBatchCount), 717 OFFSET(TeGuaranteedStackBytes, TEB, GuaranteedStackBytes), 718 OFFSET(TeTlsExpansionSlots, TEB, TlsExpansionSlots), 719 OFFSET(TeFlsData, TEB, FlsData), 720 SIZE(ThreadEnvironmentBlockLength, TEB), 721 722 HEADER("TIME_FIELDS"), 723 OFFSET(TfYear, TIME_FIELDS, Year), 724 OFFSET(TfMonth, TIME_FIELDS, Month), 725 OFFSET(TfDay, TIME_FIELDS, Day), 726 OFFSET(TfHour, TIME_FIELDS, Hour), 727 OFFSET(TfMinute, TIME_FIELDS, Minute), 728 OFFSET(TfSecond, TIME_FIELDS, Second), 729 OFFSET(TfMilliseconds, TIME_FIELDS, Milliseconds), 730 OFFSET(TfWeekday, TIME_FIELDS, Weekday), 731 732 HEADER("KTHREAD"), 733 OFFSET(ThType, KTHREAD, Header.Type), 734 OFFSET(ThLock, KTHREAD, Header.Lock), 735 OFFSET(ThSize, KTHREAD, Header.Size), 736 OFFSET(ThThreadControlFlags, KTHREAD, Header.ThreadControlFlags), 737 OFFSET(ThDebugActive, KTHREAD, Header.DebugActive), 738 OFFSET(ThSignalState, KTHREAD, Header.SignalState), 739 OFFSET(ThInitialStack, KTHREAD, InitialStack), 740 OFFSET(ThStackLimit, KTHREAD, StackLimit), 741 OFFSET(ThStackBase, KTHREAD, StackBase), 742 OFFSET(ThThreadLock, KTHREAD, ThreadLock), 743 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 744 OFFSET(ThCycleTime, KTHREAD, CycleTime), 745 #if defined(_M_IX86) 746 OFFSET(ThHighCycleTime, KTHREAD, HighCycleTime), 747 #endif 748 #endif /* (NTDDI_VERSION >= NTDDI_LONGHORN) */ 749 #if defined(_M_IX86) 750 OFFSET(ThServiceTable, KTHREAD, ServiceTable), 751 #endif 752 //OFFSET(ThCurrentRunTime, KTHREAD, CurrentRunTime), 753 //OFFSET(ThStateSaveArea, KTHREAD, StateSaveArea), // 0x3C not arm 754 OFFSET(ThKernelStack, KTHREAD, KernelStack), 755 #if (NTDDI_VERSION >= NTDDI_WIN7) 756 OFFSET(ThRunning, KTHREAD, Running), 757 #endif /* (NTDDI_VERSION >= NTDDI_WIN7) */ 758 OFFSET(ThAlerted, KTHREAD, Alerted), 759 #if (NTDDI_VERSION >= NTDDI_WIN7) 760 OFFSET(ThMiscFlags, KTHREAD, MiscFlags), 761 #endif /* (NTDDI_VERSION >= NTDDI_WIN7) */ 762 OFFSET(ThThreadFlags, KTHREAD, ThreadFlags), 763 #if (NTDDI_VERSION >= NTDDI_LONGHORN) 764 OFFSET(ThSystemCallNumber, KTHREAD, SystemCallNumber), 765 #endif /* (NTDDI_VERSION >= NTDDI_LONGHORN) */ 766 //OFFSET(ThFirstArgument, KTHREAD, FirstArgument), 767 OFFSET(ThTrapFrame, KTHREAD, TrapFrame), 768 OFFSET(ThApcState, KTHREAD, ApcState), 769 OFFSET(ThPriority, KTHREAD, Priority), // obsolete 770 OFFSET(ThSwapBusy, KTHREAD, SwapBusy), 771 OFFSET(ThContextSwitches, KTHREAD, ContextSwitches), 772 OFFSET(ThState, KTHREAD, State), 773 OFFSET(ThProcess, KTHREAD, Process), // thProcess in native headers 774 OFFSET(ThNpxState, KTHREAD, NpxState), 775 OFFSET(ThWaitIrql, KTHREAD, WaitIrql), 776 OFFSET(ThWaitMode, KTHREAD, WaitMode), // obsolete 777 OFFSET(ThTeb, KTHREAD, Teb), 778 OFFSET(ThTimer, KTHREAD, Timer), 779 OFFSET(ThWin32Thread, KTHREAD, Win32Thread), 780 OFFSET(ThWaitTime, KTHREAD, WaitTime), 781 OFFSET(ThCombinedApcDisable, KTHREAD, CombinedApcDisable), 782 OFFSET(ThKernelApcDisable, KTHREAD, KernelApcDisable), 783 OFFSET(ThSpecialApcDisable, KTHREAD, SpecialApcDisable), 784 #if defined(_M_ARM) 785 //OFFSET(ThVfpState, KTHREAD, VfpState), 786 #endif 787 OFFSET(ThNextProcessor, KTHREAD, NextProcessor), 788 //OFFSET(ThProcess, KTHREAD, Process), 789 OFFSET(ThPreviousMode, KTHREAD, PreviousMode), 790 OFFSET(ThPriorityDecrement, KTHREAD, PriorityDecrement), // obsolete 791 OFFSET(ThAdjustReason, KTHREAD, AdjustReason), 792 OFFSET(ThAdjustIncrement, KTHREAD, AdjustIncrement), 793 OFFSET(ThAffinity, KTHREAD, Affinity), // obsolete 794 OFFSET(ThApcStateIndex, KTHREAD, ApcStateIndex), 795 OFFSET(ThIdealProcessor, KTHREAD, IdealProcessor), // obsolete 796 OFFSET(ThApcStatePointer, KTHREAD, ApcStatePointer), // obsolete 797 OFFSET(ThSavedApcState, KTHREAD, SavedApcState), // obsolete 798 OFFSET(ThWaitReason, KTHREAD, WaitReason), 799 OFFSET(ThSaturation, KTHREAD, Saturation), // obsolete 800 OFFSET(ThLegoData, KTHREAD, LegoData), 801 //#if defined(_M_ARM) && (NTDDI_VERSION >= NTDDI_WIN10) 802 //OFFSET(ThUserRoBase, KTHREAD, UserRoBase), 803 //OFFSET(ThUserRwBase, KTHREAD, UserRwBase), 804 //#endif 805 #ifdef _M_IX86 806 //OFFSET(ThSListFaultCount, KTHREAD, SListFaultCount), // 0x18E 807 //OFFSET(ThSListFaultAddress, KTHREAD, ListFaultAddress), // 0x10 808 #endif // _M_IX86 809 #if defined(_M_IX86) || defined(_M_AMD64) 810 //OFFSET(ThUserFsBase, KTHREAD, UserFsBase), // 0x434 811 //OFFSET(ThUserGsBase, KTHREAD, GsBase), // 0x438 812 #endif // defined 813 SIZE(KernelThreadObjectLength, KTHREAD), 814 815 HEADER("ETHREAD"), 816 //OFFSET(ThSetContextState, ETHREAD, SetContextState), 817 818 HEADER("KTIMER"), 819 OFFSET(TiType, KTIMER, Header.Type), 820 OFFSET(TiSize, KTIMER, Header.Size), 821 #if (NTDDI_VERSION < NTDDI_WIN7) 822 OFFSET(TiInserted, KTIMER, Header.Inserted), 823 #endif 824 OFFSET(TiSignalState, KTIMER, Header.SignalState), 825 OFFSET(TiDueTime, KTIMER, DueTime), 826 OFFSET(TiTimerListEntry, KTIMER, TimerListEntry), 827 OFFSET(TiDpc, KTIMER, Dpc), 828 OFFSET(TiPeriod, KTIMER, Period), 829 SIZE(TimerObjectLength, KTIMER), 830 831 HEADER("TIME"), 832 OFFSET(TmLowTime, TIME, LowTime), 833 OFFSET(TmHighTime, TIME, HighTime), 834 835 HEADER("SYSTEM_CONTEXT_SWITCH_INFORMATION (relative to FindAny)"), 836 RELOFFSET(TwFindAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindAny, FindAny), 837 RELOFFSET(TwFindIdeal, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindIdeal, FindAny), 838 RELOFFSET(TwFindLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindLast, FindAny), 839 RELOFFSET(TwIdleAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleAny, FindAny), 840 RELOFFSET(TwIdleCurrent, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleCurrent, FindAny), 841 RELOFFSET(TwIdleIdeal, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleIdeal, FindAny), 842 RELOFFSET(TwIdleLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleLast, FindAny), 843 RELOFFSET(TwPreemptAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptAny, FindAny), 844 RELOFFSET(TwPreemptCurrent, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptCurrent, FindAny), 845 RELOFFSET(TwPreemptLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptLast, FindAny), 846 RELOFFSET(TwSwitchToIdle, SYSTEM_CONTEXT_SWITCH_INFORMATION, SwitchToIdle, FindAny), 847 848 HEADER("KUSER_SHARED_DATA"), 849 OFFSET(UsTickCountMultiplier, KUSER_SHARED_DATA, TickCountMultiplier), // 0x4 850 OFFSET(UsInterruptTime, KUSER_SHARED_DATA, InterruptTime), // 0x8 851 OFFSET(UsSystemTime, KUSER_SHARED_DATA, SystemTime), // 0x14 852 OFFSET(UsTimeZoneBias, KUSER_SHARED_DATA, TimeZoneBias), // 0x20 853 OFFSET(UsImageNumberLow, KUSER_SHARED_DATA, ImageNumberLow), 854 OFFSET(UsImageNumberHigh, KUSER_SHARED_DATA, ImageNumberHigh), 855 OFFSET(UsNtSystemRoot, KUSER_SHARED_DATA, NtSystemRoot), 856 OFFSET(UsMaxStackTraceDepth, KUSER_SHARED_DATA, MaxStackTraceDepth), 857 OFFSET(UsCryptoExponent, KUSER_SHARED_DATA, CryptoExponent), 858 OFFSET(UsTimeZoneId, KUSER_SHARED_DATA, TimeZoneId), 859 OFFSET(UsLargePageMinimum, KUSER_SHARED_DATA, LargePageMinimum), 860 //#if (NTDDI_VERSION >= NTDDI_WIN10) 861 //OFFSET(UsNtBuildNumber, KUSER_SHARED_DATA, NtBuildNumber), 862 //#else 863 OFFSET(UsReserved2, KUSER_SHARED_DATA, Reserved2), 864 //#endif 865 OFFSET(UsNtProductType, KUSER_SHARED_DATA, NtProductType), 866 OFFSET(UsProductTypeIsValid, KUSER_SHARED_DATA, ProductTypeIsValid), 867 OFFSET(UsNtMajorVersion, KUSER_SHARED_DATA, NtMajorVersion), 868 OFFSET(UsNtMinorVersion, KUSER_SHARED_DATA, NtMinorVersion), 869 OFFSET(UsProcessorFeatures, KUSER_SHARED_DATA, ProcessorFeatures), 870 OFFSET(UsReserved1, KUSER_SHARED_DATA, Reserved1), 871 OFFSET(UsReserved3, KUSER_SHARED_DATA, Reserved3), 872 OFFSET(UsTimeSlip, KUSER_SHARED_DATA, TimeSlip), 873 OFFSET(UsAlternativeArchitecture, KUSER_SHARED_DATA, AlternativeArchitecture), 874 OFFSET(UsSystemExpirationDate, KUSER_SHARED_DATA, SystemExpirationDate), // not arm 875 OFFSET(UsSuiteMask, KUSER_SHARED_DATA, SuiteMask), 876 OFFSET(UsKdDebuggerEnabled, KUSER_SHARED_DATA, KdDebuggerEnabled), 877 OFFSET(UsActiveConsoleId, KUSER_SHARED_DATA, ActiveConsoleId), 878 OFFSET(UsDismountCount, KUSER_SHARED_DATA, DismountCount), 879 OFFSET(UsComPlusPackage, KUSER_SHARED_DATA, ComPlusPackage), 880 OFFSET(UsLastSystemRITEventTickCount, KUSER_SHARED_DATA, LastSystemRITEventTickCount), 881 OFFSET(UsNumberOfPhysicalPages, KUSER_SHARED_DATA, NumberOfPhysicalPages), 882 OFFSET(UsSafeBootMode, KUSER_SHARED_DATA, SafeBootMode), 883 OFFSET(UsTestRetInstruction, KUSER_SHARED_DATA, TestRetInstruction), 884 OFFSET(UsSystemCall, KUSER_SHARED_DATA, SystemCall), // not in win10 885 OFFSET(UsSystemCallReturn, KUSER_SHARED_DATA, SystemCallReturn), // not in win10 886 OFFSET(UsSystemCallPad, KUSER_SHARED_DATA, SystemCallPad), 887 OFFSET(UsTickCount, KUSER_SHARED_DATA, TickCount), 888 OFFSET(UsTickCountQuad, KUSER_SHARED_DATA, TickCountQuad), 889 OFFSET(UsWow64SharedInformation, KUSER_SHARED_DATA, Wow64SharedInformation), // not in win10 890 //OFFSET(UsXState, KUSER_SHARED_DATA, XState), // win 10 891 892 HEADER("KWAIT_BLOCK offsets"), 893 OFFSET(WbWaitListEntry, KWAIT_BLOCK, WaitListEntry), 894 OFFSET(WbThread, KWAIT_BLOCK, Thread), 895 OFFSET(WbObject, KWAIT_BLOCK, Object), 896 OFFSET(WbNextWaitBlock, KWAIT_BLOCK, NextWaitBlock), // not in win10 897 OFFSET(WbWaitKey, KWAIT_BLOCK, WaitKey), 898 OFFSET(WbWaitType, KWAIT_BLOCK, WaitType), 899 900 #ifdef _M_AMD64 901 SIZE(KSTART_FRAME_LENGTH, KSTART_FRAME), 902 #endif 903 904 #if 0 905 906 CONSTANT(CFlushSize), 907 CONSTANT(Win32BatchFlushCallout), 908 CONSTANT(ServiceCpupReturnFromSimulatedCode), 909 CONSTANT(X86AMD64_R3_LONG_MODE_CODE), 910 CONSTANT(USER_CALLBACK_FILTER), 911 CONSTANT(SYSTEM_CALL_INT_2E), 912 913 HEADER("Process mitigation option flags"), 914 CONSTANT(PS_MITIGATION_OPTION_BITS_PER_OPTION), 915 CONSTANT(PS_MITIGATION_OPTION_ALWAYS_ON), 916 CONSTANT(PS_MITIGATION_OPTION_ALWAYS_OFF), 917 CONSTANT(PS_MITIGATION_OPTION_MASK), 918 CONSTANT(PS_MITIGATION_OPTION_RETURN_FLOW_GUARD), 919 CONSTANT(PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT), 920 921 #ifndef _M_ARM 922 HEADER("Bounds Callback Status Codes"), 923 CONSTANT(BoundExceptionContinueSearch), 924 CONSTANT(BoundExceptionHandled), 925 CONSTANT(BoundExceptionError), 926 #endif 927 928 HEADER("PS_SYSTEM_DLL_INIT_BLOCK"), 929 OFFSET(IbCfgBitMap, PS_SYSTEM_DLL_INIT_BLOCK, CfgBitMap), 930 OFFSET(IbWow64CfgBitMap, PS_SYSTEM_DLL_INIT_BLOCK, Wow64CfgBitMap), 931 OFFSET(IbMitigationOptionsMap, PS_SYSTEM_DLL_INIT_BLOCK, MitigationOptionsMap), 932 933 HEADER("Extended context"), 934 OFFSET(CxxLegacyOffset 0x8), 935 OFFSET(CxxLegacyLength 0xc), 936 OFFSET(CxxXStateOffset 0x10), 937 OFFSET(CxxXStateLength 0x14), 938 939 HEADER("Enclave call dispatch frame"), 940 OFFSET(EcEnclaveNumber, ???, EnclaveNumber), 941 OFFSET(EcParameterAddress, ???, ParameterAddress), 942 OFFSET(EcParameterValue, ???, ParameterValue), 943 OFFSET(EcOriginalReturn, ???, OriginalReturn), 944 OFFSET(EcFramePointer, ???, FramePointer), 945 OFFSET(EcReturnAddress, ???, ReturnAddress), 946 947 #ifndef _M_ARM 948 HEADER("Enlightenment"), 949 OFFSET(HeEnlightenments, ???, Enlightenments), 950 OFFSET(HeHypervisorConnected, ???, HypervisorConnected), 951 OFFSET(HeEndOfInterrupt, ???, EndOfInterrupt), 952 OFFSET(HeApicWriteIcr, ???, ApicWriteIcr), 953 OFFSET(HeSpinCountMask, ???, SpinCountMask), 954 OFFSET(HeLongSpinWait, ???, LongSpinWait), 955 #endif 956 957 HEADER("Processor Descriptor Area"), 958 OFFSET(PdaGdt, ????, ), 959 OFFSET(PdaKernelGsBase, ????, ), 960 961 OFFSET(PpFlags, ????, Flags), 962 OFFSET(EtwTSLength, ????, ), 963 OFFSET(CmThreadEnvironmentBlockOffset, ????, ), 964 OFFSET(PbEntropyCount, ????, ), 965 OFFSET(PbEntropyBuffer, ????, ), 966 967 #endif 968