3 HEADER("Pointer size"),
4 SIZE(SizeofPointer
, PVOID
),
6 HEADER("Bug Check Codes"),
7 CONSTANT(APC_INDEX_MISMATCH
),
8 CONSTANT(INVALID_AFFINITY_SET
),
9 CONSTANT(INVALID_DATA_ACCESS_TRAP
),
10 CONSTANT(IRQL_NOT_GREATER_OR_EQUAL
),
11 CONSTANT(IRQL_NOT_LESS_OR_EQUAL
), // 0x0a
12 CONSTANT(NO_USER_MODE_CONTEXT
), // 0x0e
13 CONSTANT(SPIN_LOCK_ALREADY_OWNED
), // 0x0f
14 CONSTANT(SPIN_LOCK_NOT_OWNED
), // 0x10
15 CONSTANT(THREAD_NOT_MUTEX_OWNER
), // 0x11
16 CONSTANT(TRAP_CAUSE_UNKNOWN
), // 0x12
17 CONSTANT(KMODE_EXCEPTION_NOT_HANDLED
), // 0x1e
18 CONSTANT(KERNEL_APC_PENDING_DURING_EXIT
), // 0x20
19 CONSTANT(PANIC_STACK_SWITCH
), // 0x2b
20 CONSTANT(DATA_BUS_ERROR
), // 0x2e
21 CONSTANT(INSTRUCTION_BUS_ERROR
), // 0x2f
22 CONSTANT(SYSTEM_EXIT_OWNED_MUTEX
), // 0x39
23 //CONSTANT(SYSTEM_UNWIND_PREVIOUS_USER), // 0x3a
24 //CONSTANT(SYSTEM_SERVICE_EXCEPTION), // 0x3b
25 //CONSTANT(INTERRUPT_UNWIND_ATTEMPTED), // 0x3c
26 //CONSTANT(INTERRUPT_EXCEPTION_NOT_HANDLED), // 0x3d
27 CONSTANT(PAGE_FAULT_WITH_INTERRUPTS_OFF
), // 0x49
28 CONSTANT(IRQL_GT_ZERO_AT_SYSTEM_SERVICE
), // 0x4a
29 CONSTANT(DATA_COHERENCY_EXCEPTION
), // 0x55
30 CONSTANT(INSTRUCTION_COHERENCY_EXCEPTION
), // 0x56
31 CONSTANT(HAL1_INITIALIZATION_FAILED
), // 0x61
32 CONSTANT(UNEXPECTED_KERNEL_MODE_TRAP
), // 0x7f
33 CONSTANT(NMI_HARDWARE_FAILURE
), // 0x80
34 CONSTANT(SPIN_LOCK_INIT_FAILURE
), // 0x81
35 CONSTANT(ATTEMPTED_SWITCH_FROM_DPC
), // 0xb8
36 //CONSTANT(MUTEX_ALREADY_OWNED), // 0xbf
37 //CONSTANT(HARDWARE_INTERRUPT_STORM), // 0xf2
38 //CONSTANT(RECURSIVE_MACHINE_CHECK), // 0xfb
39 //CONSTANT(RECURSIVE_NMI), // 0x111
40 CONSTANT(KERNEL_SECURITY_CHECK_FAILURE
), // 0x139
41 //CONSTANT(UNSUPPORTED_INSTRUCTION_MODE), // 0x151
42 //CONSTANT(BUGCHECK_CONTEXT_MODIFIER), // 0x80000000
44 HEADER("Breakpoints"),
45 CONSTANT(BREAKPOINT_BREAK
),
46 CONSTANT(BREAKPOINT_PRINT
),
47 CONSTANT(BREAKPOINT_PROMPT
),
48 CONSTANT(BREAKPOINT_LOAD_SYMBOLS
),
49 CONSTANT(BREAKPOINT_UNLOAD_SYMBOLS
),
50 CONSTANT(BREAKPOINT_COMMAND_STRING
),
52 HEADER("Context Frame Flags"),
53 CONSTANT(CONTEXT_FULL
),
54 CONSTANT(CONTEXT_CONTROL
),
55 CONSTANT(CONTEXT_INTEGER
),
56 CONSTANT(CONTEXT_FLOATING_POINT
),
57 CONSTANT(CONTEXT_DEBUG_REGISTERS
),
58 #if defined(_M_IX86) || defined(_M_AMD64)
59 CONSTANT(CONTEXT_SEGMENTS
),
62 HEADER("Exception flags"),
63 CONSTANT(EXCEPTION_NONCONTINUABLE
),
64 CONSTANT(EXCEPTION_UNWINDING
),
65 CONSTANT(EXCEPTION_EXIT_UNWIND
),
66 CONSTANT(EXCEPTION_STACK_INVALID
),
67 CONSTANT(EXCEPTION_NESTED_CALL
),
68 CONSTANT(EXCEPTION_TARGET_UNWIND
),
69 CONSTANT(EXCEPTION_COLLIDED_UNWIND
),
70 CONSTANT(EXCEPTION_UNWIND
),
71 CONSTANT(EXCEPTION_EXECUTE_HANDLER
),
72 CONSTANT(EXCEPTION_CONTINUE_SEARCH
),
73 CONSTANT(EXCEPTION_CONTINUE_EXECUTION
),
75 CONSTANT(EXCEPTION_CHAIN_END
),
76 //CONSTANT(FIXED_NTVDMSTATE_LINEAR), /// FIXME ???
79 HEADER("Exception types"),
80 CONSTANT(ExceptionContinueExecution
),
81 CONSTANT(ExceptionContinueSearch
),
82 CONSTANT(ExceptionNestedException
),
83 CONSTANT(ExceptionCollidedUnwind
),
85 HEADER("Fast Fail Constants"),
86 CONSTANT(FAST_FAIL_GUARD_ICALL_CHECK_FAILURE
),
87 //CONSTANT(FAST_FAIL_INVALID_BUFFER_ACCESS),
89 CONSTANT(FAST_FAIL_INVALID_JUMP_BUFFER
),
90 CONSTANT(FAST_FAIL_INVALID_SET_OF_CONTEXT
),
93 HEADER("Interrupt object types"),
94 CONSTANTX(InLevelSensitive
, LevelSensitive
),
95 CONSTANTX(InLatched
, Latched
),
101 CONSTANT(IPI_FREEZE
),
102 CONSTANT(IPI_PACKET_READY
),
105 CONSTANT(IPI_SYNCH_REQUEST
),
109 CONSTANT(PASSIVE_LEVEL
),
111 CONSTANT(DISPATCH_LEVEL
),
113 CONSTANT(CLOCK_LEVEL
),
114 #elif defined(_M_IX86)
115 CONSTANT(CLOCK1_LEVEL
),
116 CONSTANT(CLOCK2_LEVEL
),
119 CONSTANT(POWER_LEVEL
),
120 CONSTANT(PROFILE_LEVEL
),
121 CONSTANT(HIGH_LEVEL
),
123 {TYPE_CONSTANT
, "SYNCH_LEVEL", DISPATCH_LEVEL
},
125 {TYPE_CONSTANT
, "SYNCH_LEVEL", (IPI_LEVEL
- 2)},
128 #if (NTDDI_VERSION >= NTDDI_WIN8)
129 HEADER("Entropy Timing Constants"),
130 CONSTANT(KENTROPY_TIMING_INTERRUPTS_PER_BUFFER
),
131 CONSTANT(KENTROPY_TIMING_BUFFER_MASK
),
132 CONSTANT(KENTROPY_TIMING_ANALYSIS
),
135 HEADER("Lock Queue"),
136 CONSTANT(LOCK_QUEUE_WAIT
),
137 CONSTANT(LOCK_QUEUE_OWNER
),
138 CONSTANT(LockQueueDispatcherLock
), /// FIXE: obsolete
140 //HEADER("Performance Definitions"),
141 //CONSTANT(PERF_CONTEXTSWAP_OFFSET),
142 //CONSTANT(PERF_CONTEXTSWAP_FLAG),
143 //CONSTANT(PERF_INTERRUPT_OFFSET),
144 //CONSTANT(PERF_INTERRUPT_FLAG),
145 //CONSTANT(PERF_SYSCALL_OFFSET),
146 //CONSTANT(PERF_SYSCALL_FLAG),
148 //CONSTANT(PERF_PROFILE_OFFSET), /// FIXE: obsolete
149 //CONSTANT(PERF_PROFILE_FLAG), /// FIXE: obsolete
150 //CONSTANT(PERF_SPINLOCK_OFFSET), /// FIXE: obsolete
151 //CONSTANT(PERF_SPINLOCK_FLAG), /// FIXE: obsolete
154 //CONSTANT(PERF_IPI_OFFSET), // 00008H
155 //CONSTANT(PERF_IPI_FLAG), // 0400000H
156 //CONSTANT(PERF_IPI), // 040400000H
157 //CONSTANT(PERF_INTERRUPT), // 020004000H
159 //CONSTANT(NTOS_YIELD_MACRO),
161 HEADER("Process states"),
162 CONSTANT(ProcessInMemory
),
163 CONSTANT(ProcessOutOfMemory
),
164 CONSTANT(ProcessInTransition
),
166 HEADER("Processor mode"),
167 CONSTANT(KernelMode
),
170 HEADER("Service Table Constants"),
171 CONSTANT(NUMBER_SERVICE_TABLES
),
172 CONSTANT(SERVICE_NUMBER_MASK
),
173 CONSTANT(SERVICE_TABLE_SHIFT
),
174 CONSTANT(SERVICE_TABLE_MASK
),
175 CONSTANT(SERVICE_TABLE_TEST
),
177 HEADER("Status codes"),
178 CONSTANT(STATUS_ACCESS_VIOLATION
),
179 CONSTANT(STATUS_ASSERTION_FAILURE
),
180 CONSTANT(STATUS_ARRAY_BOUNDS_EXCEEDED
),
181 CONSTANT(STATUS_BAD_COMPRESSION_BUFFER
),
182 CONSTANT(STATUS_BREAKPOINT
),
183 CONSTANT(STATUS_CALLBACK_POP_STACK
),
184 CONSTANT(STATUS_DATATYPE_MISALIGNMENT
),
185 CONSTANT(STATUS_FLOAT_DENORMAL_OPERAND
),
186 CONSTANT(STATUS_FLOAT_DIVIDE_BY_ZERO
),
187 CONSTANT(STATUS_FLOAT_INEXACT_RESULT
),
188 CONSTANT(STATUS_FLOAT_INVALID_OPERATION
),
189 CONSTANT(STATUS_FLOAT_OVERFLOW
),
190 CONSTANT(STATUS_FLOAT_STACK_CHECK
),
191 CONSTANT(STATUS_FLOAT_UNDERFLOW
),
192 CONSTANT(STATUS_FLOAT_MULTIPLE_FAULTS
),
193 CONSTANT(STATUS_FLOAT_MULTIPLE_TRAPS
),
194 CONSTANT(STATUS_GUARD_PAGE_VIOLATION
),
195 CONSTANT(STATUS_ILLEGAL_FLOAT_CONTEXT
),
196 CONSTANT(STATUS_ILLEGAL_INSTRUCTION
),
197 CONSTANT(STATUS_INSTRUCTION_MISALIGNMENT
),
198 CONSTANT(STATUS_INVALID_HANDLE
),
199 CONSTANT(STATUS_INVALID_LOCK_SEQUENCE
),
200 CONSTANT(STATUS_INVALID_OWNER
),
201 CONSTANT(STATUS_INVALID_PARAMETER
),
202 CONSTANT(STATUS_INVALID_PARAMETER_1
),
203 CONSTANT(STATUS_INVALID_SYSTEM_SERVICE
),
204 //CONSTANT(STATUS_INVALID_THREAD),
205 CONSTANT(STATUS_INTEGER_DIVIDE_BY_ZERO
),
206 CONSTANT(STATUS_INTEGER_OVERFLOW
),
207 CONSTANT(STATUS_IN_PAGE_ERROR
),
208 CONSTANT(STATUS_KERNEL_APC
),
209 CONSTANT(STATUS_LONGJUMP
),
210 CONSTANT(STATUS_NO_CALLBACK_ACTIVE
),
212 CONSTANT(STATUS_NO_EVENT_PAIR
), /// FIXME: obsolete
214 CONSTANT(STATUS_PRIVILEGED_INSTRUCTION
),
215 CONSTANT(STATUS_SINGLE_STEP
),
216 CONSTANT(STATUS_STACK_BUFFER_OVERRUN
),
217 CONSTANT(STATUS_STACK_OVERFLOW
),
218 CONSTANT(STATUS_SUCCESS
),
219 CONSTANT(STATUS_THREAD_IS_TERMINATING
),
220 CONSTANT(STATUS_TIMEOUT
),
221 CONSTANT(STATUS_UNWIND
),
222 CONSTANT(STATUS_UNWIND_CONSOLIDATE
),
223 CONSTANT(STATUS_USER_APC
),
224 CONSTANT(STATUS_WAKE_SYSTEM
),
225 CONSTANT(STATUS_WAKE_SYSTEM_DEBUGGER
),
227 //HEADER("Thread flags"),
228 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING),
229 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING_LOCK_BIT),
230 //CONSTANT(THREAD_FLAGS_CYCLE_PROFILING_LOCK),
231 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING),
232 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING_LOCK_BIT),
233 //CONSTANT(THREAD_FLAGS_COUNTER_PROFILING_LOCK),
234 //CONSTANT(THREAD_FLAGS_CPU_THROTTLED), /// FIXME: obsolete
235 //CONSTANT(THREAD_FLAGS_CPU_THROTTLED_BIT), /// FIXME: obsolete
236 //CONSTANT(THREAD_FLAGS_ACCOUNTING_CSWITCH),
237 //CONSTANT(THREAD_FLAGS_ACCOUNTING_INTERRUPT),
238 //CONSTANT(THREAD_FLAGS_ACCOUNTING_ANY),
239 //CONSTANT(THREAD_FLAGS_GROUP_SCHEDULING),
240 //CONSTANT(THREAD_FLAGS_AFFINITY_SET),
242 //CONSTANT(THREAD_FLAGS_INSTRUMENTED), // 0x0040
243 //CONSTANT(THREAD_FLAGS_INSTRUMENTED_PROFILING), // 0x0041
246 HEADER("TLS defines"),
247 CONSTANT(TLS_MINIMUM_AVAILABLE
),
248 CONSTANT(TLS_EXPANSION_SLOTS
),
250 HEADER("Thread states"),
251 CONSTANT(Initialized
),
255 CONSTANT(Terminated
),
258 CONSTANT(Transition
),
259 CONSTANT(DeferredReady
),
260 //CONSTANT(GateWaitObsolete),
263 HEADER("Wait type / reason"),
264 CONSTANT(WrExecutive
),
265 CONSTANT(WrMutex
), /// FIXME: Obsolete
266 CONSTANT(WrDispatchInt
),
267 CONSTANT(WrQuantumEnd
), /// FIXME: Obsolete
268 CONSTANT(WrEventPair
), /// FIXME: Obsolete
272 HEADER("Stack sizes"),
273 CONSTANT(KERNEL_STACK_SIZE
), /// FIXME: Obsolete
274 CONSTANT(KERNEL_LARGE_STACK_SIZE
),
275 CONSTANT(KERNEL_LARGE_STACK_COMMIT
), /// FIXME: Obsolete
276 //CONSTANT(DOUBLE_FAULT_STACK_SIZE),
278 CONSTANT(KERNEL_MCA_EXCEPTION_STACK_SIZE
),
279 CONSTANT(NMI_STACK_SIZE
),
280 CONSTANT(ISR_STACK_SIZE
),
283 //CONSTANT(KTHREAD_AUTO_ALIGNMENT_BIT),
284 //CONSTANT(KTHREAD_GUI_THREAD_MASK),
285 //CONSTANT(KTHREAD_SYSTEM_THREAD_BIT),
286 //CONSTANT(KTHREAD_QUEUE_DEFER_PREEMPTION_BIT),
288 HEADER("Miscellaneous Definitions"),
293 //CONSTANT(BASE_PRIORITY_THRESHOLD),
294 //CONSTANT(EVENT_PAIR_INCREMENT), /// FIXME: obsolete
295 CONSTANT(LOW_REALTIME_PRIORITY
),
296 CONSTANT(CLOCK_QUANTUM_DECREMENT
),
297 //CONSTANT(READY_SKIP_QUANTUM),
298 //CONSTANT(THREAD_QUANTUM),
299 CONSTANT(WAIT_QUANTUM_DECREMENT
),
300 //CONSTANT(ROUND_TRIP_DECREMENT_COUNT),
301 CONSTANT(MAXIMUM_PROCESSORS
),
302 CONSTANT(INITIAL_STALL_COUNT
),
303 //CONSTANT(EXCEPTION_EXECUTE_FAULT), // amd64
304 //CONSTANT(KCACHE_ERRATA_MONITOR_FLAGS), // not arm
305 //CONSTANT(KI_DPC_ALL_FLAGS),
306 //CONSTANT(KI_DPC_ANY_DPC_ACTIVE),
307 //CONSTANT(KI_DPC_INTERRUPT_FLAGS), // 0x2f arm and x64
308 //CONSTANT(KI_EXCEPTION_GP_FAULT), // not i386
309 //CONSTANT(KI_EXCEPTION_INVALID_OP), // not i386
310 //CONSTANT(KI_EXCEPTION_INTEGER_DIVIDE_BY_ZERO), // amd64
311 CONSTANT(KI_EXCEPTION_ACCESS_VIOLATION
),
312 //CONSTANT(KINTERRUPT_STATE_DISABLED_BIT),
313 //CONSTANT(KINTERRUPT_STATE_DISABLED),
314 //CONSTANT(TARGET_FREEZE), // amd64
315 //CONSTANT(BlackHole), // FIXME: obsolete
316 CONSTANT(DBG_STATUS_CONTROL_C
),
317 //CONSTANTPTR(USER_SHARED_DATA), // FIXME: we need the kernel mode address here!
318 //CONSTANT(MM_SHARED_USER_DATA_VA),
319 //CONSTANT(KERNEL_STACK_CONTROL_LARGE_STACK), // FIXME: obsolete
320 //CONSTANT(DISPATCH_LENGTH), // FIXME: obsolete
321 //CONSTANT(MAXIMUM_PRIMARY_VECTOR), // not arm
322 //CONSTANT(KI_SLIST_FAULT_COUNT_MAXIMUM), // i386
323 //CONSTANTUSER_CALLBACK_FILTER),
326 CONSTANT(MAXIMUM_IDTVECTOR
),
327 //CONSTANT(MAXIMUM_PRIMARY_VECTOR),
328 CONSTANT(PRIMARY_VECTOR_BASE
),
331 //MODE_BIT equ 00000H amd64
332 //LDT_MASK equ 00004H amd64
336 /* STRUCTURE OFFSETS *********************************************************/
338 //HEADER("KAFFINITY_EX"),
339 //OFFSET(AfCount, KAFFINITY_EX, Count),
340 //OFFSET(AfBitmap, KAFFINITY_EX, Bitmap),
342 //HEADER("Aligned Affinity"),
343 //OFFSET(AfsCpuSet, ???, CpuSet), // FIXME: obsolete
346 OFFSET(ApType
, KAPC
, Type
),
347 OFFSET(ApSize
, KAPC
, Size
),
348 OFFSET(ApThread
, KAPC
, Thread
),
349 OFFSET(ApApcListEntry
, KAPC
, ApcListEntry
),
350 OFFSET(ApKernelRoutine
, KAPC
, KernelRoutine
),
351 OFFSET(ApRundownRoutine
, KAPC
, RundownRoutine
),
352 OFFSET(ApNormalRoutine
, KAPC
, NormalRoutine
),
353 OFFSET(ApNormalContext
, KAPC
, NormalContext
),
354 OFFSET(ApSystemArgument1
, KAPC
, SystemArgument1
),
355 OFFSET(ApSystemArgument2
, KAPC
, SystemArgument2
),
356 OFFSET(ApApcStateIndex
, KAPC
, ApcStateIndex
),
357 OFFSET(ApApcMode
, KAPC
, ApcMode
),
358 OFFSET(ApInserted
, KAPC
, Inserted
),
359 SIZE(ApcObjectLength
, KAPC
),
361 HEADER("KAPC offsets (relative to NormalRoutine)"),
362 RELOFFSET(ArNormalRoutine
, KAPC
, NormalRoutine
, NormalRoutine
),
363 RELOFFSET(ArNormalContext
, KAPC
, NormalContext
, NormalRoutine
),
364 RELOFFSET(ArSystemArgument1
, KAPC
, SystemArgument1
, NormalRoutine
),
365 RELOFFSET(ArSystemArgument2
, KAPC
, SystemArgument2
, NormalRoutine
),
366 CONSTANTX(ApcRecordLength
, 4 * sizeof(PVOID
)),
368 HEADER("KAPC_STATE"),
369 OFFSET(AsApcListHead
, KAPC_STATE
, ApcListHead
),
370 OFFSET(AsProcess
, KAPC_STATE
, Process
),
371 OFFSET(AsKernelApcInProgress
, KAPC_STATE
, KernelApcInProgress
), // FIXME: obsolete
372 OFFSET(AsKernelApcPending
, KAPC_STATE
, KernelApcPending
),
373 OFFSET(AsUserApcPending
, KAPC_STATE
, UserApcPending
),
376 OFFSET(CidUniqueProcess
, CLIENT_ID
, UniqueProcess
),
377 OFFSET(CidUniqueThread
, CLIENT_ID
, UniqueThread
),
379 HEADER("RTL_CRITICAL_SECTION"),
380 OFFSET(CsDebugInfo
, RTL_CRITICAL_SECTION
, DebugInfo
),
381 OFFSET(CsLockCount
, RTL_CRITICAL_SECTION
, LockCount
),
382 OFFSET(CsRecursionCount
, RTL_CRITICAL_SECTION
, RecursionCount
),
383 OFFSET(CsOwningThread
, RTL_CRITICAL_SECTION
, OwningThread
),
384 OFFSET(CsLockSemaphore
, RTL_CRITICAL_SECTION
, LockSemaphore
),
385 OFFSET(CsSpinCount
, RTL_CRITICAL_SECTION
, SpinCount
),
387 HEADER("RTL_CRITICAL_SECTION_DEBUG"),
388 OFFSET(CsType
, RTL_CRITICAL_SECTION_DEBUG
, Type
),
389 OFFSET(CsCreatorBackTraceIndex
, RTL_CRITICAL_SECTION_DEBUG
, CreatorBackTraceIndex
),
390 OFFSET(CsCriticalSection
, RTL_CRITICAL_SECTION_DEBUG
, CriticalSection
),
391 OFFSET(CsProcessLocksList
, RTL_CRITICAL_SECTION_DEBUG
, ProcessLocksList
),
392 OFFSET(CsEntryCount
, RTL_CRITICAL_SECTION_DEBUG
, EntryCount
),
393 OFFSET(CsContentionCount
, RTL_CRITICAL_SECTION_DEBUG
, ContentionCount
),
395 HEADER("KDEVICE_QUEUE_ENTRY"),
396 OFFSET(DeDeviceListEntry
, KDEVICE_QUEUE_ENTRY
, DeviceListEntry
),
397 OFFSET(DeSortKey
, KDEVICE_QUEUE_ENTRY
, SortKey
),
398 OFFSET(DeInserted
, KDEVICE_QUEUE_ENTRY
, Inserted
),
399 SIZE(DeviceQueueEntryLength
, KDEVICE_QUEUE_ENTRY
),
402 OFFSET(DpType
, KDPC
, Type
),
403 OFFSET(DpImportance
, KDPC
, Importance
),
404 OFFSET(DpNumber
, KDPC
, Number
),
405 OFFSET(DpDpcListEntry
, KDPC
, DpcListEntry
),
406 OFFSET(DpDeferredRoutine
, KDPC
, DeferredRoutine
),
407 OFFSET(DpDeferredContext
, KDPC
, DeferredContext
),
408 OFFSET(DpSystemArgument1
, KDPC
, SystemArgument1
),
409 OFFSET(DpSystemArgument2
, KDPC
, SystemArgument2
),
410 OFFSET(DpDpcData
, KDPC
, DpcData
),
411 SIZE(DpcObjectLength
, KDPC
),
413 HEADER("KDEVICE_QUEUE"),
414 OFFSET(DvType
, KDEVICE_QUEUE
, Type
),
415 OFFSET(DvSize
, KDEVICE_QUEUE
, Size
),
416 OFFSET(DvDeviceListHead
, KDEVICE_QUEUE
, DeviceListHead
),
417 OFFSET(DvSpinLock
, KDEVICE_QUEUE
, Lock
),
418 OFFSET(DvBusy
, KDEVICE_QUEUE
, Busy
),
419 SIZE(DeviceQueueObjectLength
, KDEVICE_QUEUE
),
421 HEADER("EXCEPTION_RECORD"),
422 OFFSET(ErExceptionCode
, EXCEPTION_RECORD
, ExceptionCode
),
423 OFFSET(ErExceptionFlags
, EXCEPTION_RECORD
, ExceptionFlags
),
424 OFFSET(ErExceptionRecord
, EXCEPTION_RECORD
, ExceptionRecord
),
425 OFFSET(ErExceptionAddress
, EXCEPTION_RECORD
, ExceptionAddress
),
426 OFFSET(ErNumberParameters
, EXCEPTION_RECORD
, NumberParameters
),
427 OFFSET(ErExceptionInformation
, EXCEPTION_RECORD
, ExceptionInformation
),
428 SIZE(ExceptionRecordLength
, EXCEPTION_RECORD
),
429 SIZE(EXCEPTION_RECORD_LENGTH
, EXCEPTION_RECORD
), // not 1386
432 OFFSET(EpDebugPort
, EPROCESS
, DebugPort
),
434 OFFSET(EpVdmObjects
, EPROCESS
, VdmObjects
),
435 #elif defined(_M_AMD64)
436 OFFSET(EpWow64Process
, EPROCESS
, Wow64Process
),
438 SIZE(ExecutiveProcessObjectLength
, EPROCESS
),
440 HEADER("ETHREAD offsets"),
441 OFFSET(EtCid
, ETHREAD
, Cid
), // 0x364
442 SIZE(ExecutiveThreadObjectLength
, ETHREAD
), // 0x418
445 OFFSET(EvType
, KEVENT
, Header
.Type
),
446 OFFSET(EvSize
, KEVENT
, Header
.Size
),
447 OFFSET(EvSignalState
, KEVENT
, Header
.SignalState
),
448 OFFSET(EvWaitListHead
, KEVENT
, Header
.WaitListHead
),
449 SIZE(EventObjectLength
, KEVENT
),
452 OFFSET(FbFiberData
, FIBER
, FiberData
),
453 OFFSET(FbExceptionList
, FIBER
, ExceptionList
),
454 OFFSET(FbStackBase
, FIBER
, StackBase
),
455 OFFSET(FbStackLimit
, FIBER
, StackLimit
),
456 OFFSET(FbDeallocationStack
, FIBER
, DeallocationStack
),
457 OFFSET(FbFiberContext
, FIBER
, FiberContext
),
458 //OFFSET(FbWx86Tib, FIBER, Wx86Tib),
459 //OFFSET(FbActivationContextStackPointer, FIBER, ActivationContextStackPointer),
460 OFFSET(FbFlsData
, FIBER
, FlsData
),
461 OFFSET(FbGuaranteedStackBytes
, FIBER
, GuaranteedStackBytes
),
462 //OFFSET(FbTebFlags, FIBER, TebFlags),
464 HEADER("FAST_MUTEX"),
465 OFFSET(FmCount
, FAST_MUTEX
, Count
),
466 OFFSET(FmOwner
, FAST_MUTEX
, Owner
),
467 OFFSET(FmContention
, FAST_MUTEX
, Contention
),
468 //OFFSET(FmGate, FAST_MUTEX, Gate), // obsolete
469 OFFSET(FmOldIrql
, FAST_MUTEX
, OldIrql
),
472 HEADER("GETSETCONTEXT offsets"), // GET_SET_CTX_CONTEXT
473 OFFSET(GetSetCtxContextPtr
, GETSETCONTEXT
, Context
),
476 HEADER("KINTERRUPT"),
477 OFFSET(InType
, KINTERRUPT
, Type
),
478 OFFSET(InSize
, KINTERRUPT
, Size
),
479 OFFSET(InInterruptListEntry
, KINTERRUPT
, InterruptListEntry
),
480 OFFSET(InServiceRoutine
, KINTERRUPT
, ServiceRoutine
),
481 OFFSET(InServiceContext
, KINTERRUPT
, ServiceContext
),
482 OFFSET(InSpinLock
, KINTERRUPT
, SpinLock
),
483 OFFSET(InTickCount
, KINTERRUPT
, TickCount
),
484 OFFSET(InActualLock
, KINTERRUPT
, ActualLock
),
485 OFFSET(InDispatchAddress
, KINTERRUPT
, DispatchAddress
),
486 OFFSET(InVector
, KINTERRUPT
, Vector
),
487 OFFSET(InIrql
, KINTERRUPT
, Irql
),
488 OFFSET(InSynchronizeIrql
, KINTERRUPT
, SynchronizeIrql
),
489 OFFSET(InFloatingSave
, KINTERRUPT
, FloatingSave
),
490 OFFSET(InConnected
, KINTERRUPT
, Connected
),
491 OFFSET(InNumber
, KINTERRUPT
, Number
),
492 OFFSET(InShareVector
, KINTERRUPT
, ShareVector
),
493 //OFFSET(InInternalState, KINTERRUPT, InternalState),
494 OFFSET(InMode
, KINTERRUPT
, Mode
),
495 OFFSET(InServiceCount
, KINTERRUPT
, ServiceCount
),
496 OFFSET(InDispatchCount
, KINTERRUPT
, DispatchCount
),
497 //OFFSET(InTrapFrame, KINTERRUPT, TrapFrame), // amd64
498 OFFSET(InDispatchCode
, KINTERRUPT
, DispatchCode
), // obsolete
499 SIZE(InterruptObjectLength
, KINTERRUPT
),
502 HEADER("IO_STATUS_BLOCK"),
503 OFFSET(IoStatus
, IO_STATUS_BLOCK
, Status
),
504 OFFSET(IoPointer
, IO_STATUS_BLOCK
, Pointer
),
505 OFFSET(IoInformation
, IO_STATUS_BLOCK
, Information
),
506 #endif /* _M_AMD64 */
508 #if (NTDDI_VERSION >= NTDDI_WIN8)
509 HEADER("KSTACK_CONTROL"),
510 OFFSET(KcCurrentBase
, KSTACK_CONTROL
, StackBase
),
511 OFFSET(KcActualLimit
, KSTACK_CONTROL
, ActualLimit
),
512 OFFSET(KcPreviousBase
, KSTACK_CONTROL
, Previous
.StackBase
),
513 OFFSET(KcPreviousLimit
, KSTACK_CONTROL
, Previous
.StackLimit
),
514 OFFSET(KcPreviousKernel
, KSTACK_CONTROL
, Previous
.KernelStack
),
515 OFFSET(KcPreviousInitial
, KSTACK_CONTROL
, Previous
.InitialStack
),
517 OFFSET(KcTrapFrame
, KSTACK_CONTROL
, PreviousTrapFrame
),
518 OFFSET(KcExceptionList
, KSTACK_CONTROL
, PreviousExceptionList
),
520 SIZE(KSTACK_CONTROL_LENGTH
, KSTACK_CONTROL
),
521 CONSTANT(KSTACK_ACTUAL_LIMIT_EXPANDED
), // move somewhere else?
523 //HEADER("KERNEL_STACK_CONTROL"),
526 #if 0 // no longer in win 10, different struct
528 //OFFSET(KnRight, KNODE, Right),
529 //OFFSET(KnLeft, KNODE, Left),
530 OFFSET(KnPfnDereferenceSListHead
, KNODE
, PfnDereferenceSListHead
),
531 OFFSET(KnProcessorMask
, KNODE
, ProcessorMask
),
532 OFFSET(KnColor
, KNODE
, Color
),
533 OFFSET(KnSeed
, KNODE
, Seed
),
534 OFFSET(KnNodeNumber
, KNODE
, NodeNumber
),
535 OFFSET(KnFlags
, KNODE
, Flags
),
536 OFFSET(KnMmShiftedColor
, KNODE
, MmShiftedColor
),
537 OFFSET(KnFreeCount
, KNODE
, FreeCount
),
538 OFFSET(KnPfnDeferredList
, KNODE
, PfnDeferredList
),
539 SIZE(KNODE_SIZE
, KNODE
),
542 HEADER("KSPIN_LOCK_QUEUE"),
543 OFFSET(LqNext
, KSPIN_LOCK_QUEUE
, Next
),
544 OFFSET(LqLock
, KSPIN_LOCK_QUEUE
, Lock
),
545 SIZE(LOCK_QUEUE_HEADER_SIZE
, KSPIN_LOCK_QUEUE
),
547 HEADER("KLOCK_QUEUE_HANDLE"),
548 OFFSET(LqhLockQueue
, KLOCK_QUEUE_HANDLE
, LockQueue
),
549 OFFSET(LqhNext
, KLOCK_QUEUE_HANDLE
, LockQueue
.Next
),
550 OFFSET(LqhLock
, KLOCK_QUEUE_HANDLE
, LockQueue
.Lock
),
551 OFFSET(LqhOldIrql
, KLOCK_QUEUE_HANDLE
, OldIrql
),
553 HEADER("LARGE_INTEGER"),
554 OFFSET(LiLowPart
, LARGE_INTEGER
, LowPart
),
555 OFFSET(LiHighPart
, LARGE_INTEGER
, HighPart
),
557 HEADER("LOADER_PARAMETER_BLOCK (rel. to LoadOrderListHead)"),
558 RELOFFSET(LpbKernelStack
, LOADER_PARAMETER_BLOCK
, KernelStack
, LoadOrderListHead
),
559 RELOFFSET(LpbPrcb
, LOADER_PARAMETER_BLOCK
, Prcb
, LoadOrderListHead
),
560 RELOFFSET(LpbProcess
, LOADER_PARAMETER_BLOCK
, Process
, LoadOrderListHead
),
561 RELOFFSET(LpbThread
, LOADER_PARAMETER_BLOCK
, Thread
, LoadOrderListHead
),
563 HEADER("LIST_ENTRY"),
564 OFFSET(LsFlink
, LIST_ENTRY
, Flink
),
565 OFFSET(LsBlink
, LIST_ENTRY
, Blink
),
568 OFFSET(PeBeingDebugged
, PEB
, BeingDebugged
),
569 OFFSET(PeProcessParameters
, PEB
, ProcessParameters
),
570 OFFSET(PeKernelCallbackTable
, PEB
, KernelCallbackTable
),
571 SIZE(ProcessEnvironmentBlockLength
, PEB
),
574 OFFSET(PfType
, KPROFILE
, Type
),
575 OFFSET(PfSize
, KPROFILE
, Size
),
576 OFFSET(PfProfileListEntry
, KPROFILE
, ProfileListEntry
),
577 OFFSET(PfProcess
, KPROFILE
, Process
),
578 OFFSET(PfRangeBase
, KPROFILE
, RangeBase
),
579 OFFSET(PfRangeLimit
, KPROFILE
, RangeLimit
),
580 OFFSET(PfBucketShift
, KPROFILE
, BucketShift
),
581 OFFSET(PfBuffer
, KPROFILE
, Buffer
),
582 OFFSET(PfSegment
, KPROFILE
, Segment
),
583 OFFSET(PfAffinity
, KPROFILE
, Affinity
),
584 OFFSET(PfSource
, KPROFILE
, Source
),
585 OFFSET(PfStarted
, KPROFILE
, Started
),
586 SIZE(ProfileObjectLength
, KPROFILE
),
588 HEADER("PORT_MESSAGE"), // whole thing obsolete in win10
589 OFFSET(PmLength
, PORT_MESSAGE
, u1
.Length
),
590 OFFSET(PmZeroInit
, PORT_MESSAGE
, u2
.ZeroInit
),
591 OFFSET(PmClientId
, PORT_MESSAGE
, ClientId
),
592 OFFSET(PmProcess
, PORT_MESSAGE
, ClientId
.UniqueProcess
),
593 OFFSET(PmThread
, PORT_MESSAGE
, ClientId
.UniqueThread
),
594 OFFSET(PmMessageId
, PORT_MESSAGE
, MessageId
),
595 OFFSET(PmClientViewSize
, PORT_MESSAGE
, ClientViewSize
),
596 SIZE(PortMessageLength
, PORT_MESSAGE
),
599 OFFSET(PrType
, KPROCESS
, Header
.Type
),
600 OFFSET(PrSize
, KPROCESS
, Header
.Size
),
601 OFFSET(PrSignalState
, KPROCESS
, Header
.SignalState
),
602 OFFSET(PrProfileListHead
, KPROCESS
, ProfileListHead
),
603 OFFSET(PrDirectoryTableBase
, KPROCESS
, DirectoryTableBase
),
605 //OFFSET(PrPageDirectory, KPROCESS, PageDirectory),
606 #elif defined(_M_IX86)
607 OFFSET(PrLdtDescriptor
, KPROCESS
, LdtDescriptor
),
608 OFFSET(PrInt21Descriptor
, KPROCESS
, Int21Descriptor
),
610 OFFSET(PrThreadListHead
, KPROCESS
, ThreadListHead
),
611 OFFSET(PrAffinity
, KPROCESS
, Affinity
),
612 OFFSET(PrReadyListHead
, KPROCESS
, ReadyListHead
),
613 OFFSET(PrSwapListEntry
, KPROCESS
, SwapListEntry
),
614 OFFSET(PrActiveProcessors
, KPROCESS
, ActiveProcessors
),
615 OFFSET(PrProcessFlags
, KPROCESS
, ProcessFlags
),
616 OFFSET(PrBasePriority
, KPROCESS
, BasePriority
),
617 OFFSET(PrQuantumReset
, KPROCESS
, QuantumReset
),
619 OFFSET(PrIopmOffset
, KPROCESS
, IopmOffset
),
621 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
622 OFFSET(PrCycleTime
, KPROCESS
, CycleTime
),
624 OFFSET(PrKernelTime
, KPROCESS
, KernelTime
),
625 OFFSET(PrUserTime
, KPROCESS
, UserTime
),
626 #if defined(_M_AMD64) || defined(_M_ARM)
627 //OFFSET(PrInstrumentationCallback, KPROCESS, InstrumentationCallback),
628 #elif defined(_M_IX86)
629 OFFSET(PrVdmTrapcHandler
, KPROCESS
, VdmTrapcHandler
),
630 //OFFSET(PrVdmObjects, KPROCESS, VdmObjects),
631 OFFSET(PrFlags
, KPROCESS
, Flags
),
632 //PrInstrumentationCallback equ 0031CH // ???
634 SIZE(KernelProcessObjectLength
, KPROCESS
),
637 OFFSET(QuType
, KQUEUE
, Header
.Type
), // not in win10
638 OFFSET(QuSize
, KQUEUE
, Header
.Size
), // not in win10
639 OFFSET(QuSignalState
, KQUEUE
, Header
.SignalState
),
640 OFFSET(QuEntryListHead
, KQUEUE
, EntryListHead
),
641 OFFSET(QuCurrentCount
, KQUEUE
, CurrentCount
),
642 OFFSET(QuMaximumCount
, KQUEUE
, MaximumCount
),
643 OFFSET(QuThreadListHead
, KQUEUE
, ThreadListHead
),
644 SIZE(QueueObjectLength
, KQUEUE
),
646 HEADER("KSERVICE_TABLE_DESCRIPTOR offsets"),
647 OFFSET(SdBase
, KSERVICE_TABLE_DESCRIPTOR
, Base
),
648 OFFSET(SdCount
, KSERVICE_TABLE_DESCRIPTOR
, Count
), // not in win10
649 OFFSET(SdLimit
, KSERVICE_TABLE_DESCRIPTOR
, Limit
),
650 OFFSET(SdNumber
, KSERVICE_TABLE_DESCRIPTOR
, Number
),
651 SIZE(SdLength
, KSERVICE_TABLE_DESCRIPTOR
),
654 OFFSET(StrLength
, STRING
, Length
),
655 OFFSET(StrMaximumLength
, STRING
, MaximumLength
),
656 OFFSET(StrBuffer
, STRING
, Buffer
),
660 OFFSET(TeExceptionList
, TEB
, NtTib
.ExceptionList
),
661 #elif defined(_M_AMD64)
662 OFFSET(TeCmTeb
, TEB
, NtTib
),
664 OFFSET(TeStackBase
, TEB
, NtTib
.StackBase
),
665 OFFSET(TeStackLimit
, TEB
, NtTib
.StackLimit
),
666 OFFSET(TeFiberData
, TEB
, NtTib
.FiberData
),
667 OFFSET(TeSelf
, TEB
, NtTib
.Self
),
668 OFFSET(TeEnvironmentPointer
, TEB
, EnvironmentPointer
),
669 OFFSET(TeClientId
, TEB
, ClientId
),
670 OFFSET(TeActiveRpcHandle
, TEB
, ActiveRpcHandle
),
671 OFFSET(TeThreadLocalStoragePointer
, TEB
, ThreadLocalStoragePointer
),
672 OFFSET(TePeb
, TEB
, ProcessEnvironmentBlock
),
673 OFFSET(TeLastErrorValue
, TEB
, LastErrorValue
),
674 OFFSET(TeCountOfOwnedCriticalSections
, TEB
, CountOfOwnedCriticalSections
),
675 OFFSET(TeCsrClientThread
, TEB
, CsrClientThread
),
676 OFFSET(TeWOW32Reserved
, TEB
, WOW32Reserved
),
677 //OFFSET(TeSoftFpcr, TEB, SoftFpcr),
678 OFFSET(TeExceptionCode
, TEB
, ExceptionCode
),
679 OFFSET(TeActivationContextStackPointer
, TEB
, ActivationContextStackPointer
),
680 //#if (NTDDI_VERSION >= NTDDI_WIN10)
681 //OFFSET(TeInstrumentationCallbackSp, TEB, InstrumentationCallbackSp),
682 //OFFSET(TeInstrumentationCallbackPreviousPc, TEB, InstrumentationCallbackPreviousPc),
683 //OFFSET(TeInstrumentationCallbackPreviousSp, TEB, InstrumentationCallbackPreviousSp),
685 OFFSET(TeGdiClientPID
, TEB
, GdiClientPID
),
686 OFFSET(TeGdiClientTID
, TEB
, GdiClientTID
),
687 OFFSET(TeGdiThreadLocalInfo
, TEB
, GdiThreadLocalInfo
),
688 OFFSET(TeglDispatchTable
, TEB
, glDispatchTable
),
689 OFFSET(TeglReserved1
, TEB
, glReserved1
),
690 OFFSET(TeglReserved2
, TEB
, glReserved2
),
691 OFFSET(TeglSectionInfo
, TEB
, glSectionInfo
),
692 OFFSET(TeglSection
, TEB
, glSection
),
693 OFFSET(TeglTable
, TEB
, glTable
),
694 OFFSET(TeglCurrentRC
, TEB
, glCurrentRC
),
695 OFFSET(TeglContext
, TEB
, glContext
),
696 OFFSET(TeDeallocationStack
, TEB
, DeallocationStack
),
697 OFFSET(TeTlsSlots
, TEB
, TlsSlots
),
698 OFFSET(TeVdm
, TEB
, Vdm
),
699 OFFSET(TeInstrumentation
, TEB
, Instrumentation
),
700 OFFSET(TeGdiBatchCount
, TEB
, GdiBatchCount
),
701 OFFSET(TeGuaranteedStackBytes
, TEB
, GuaranteedStackBytes
),
702 OFFSET(TeTlsExpansionSlots
, TEB
, TlsExpansionSlots
),
703 OFFSET(TeFlsData
, TEB
, FlsData
),
704 SIZE(ThreadEnvironmentBlockLength
, TEB
),
706 HEADER("TIME_FIELDS"),
707 OFFSET(TfYear
, TIME_FIELDS
, Year
),
708 OFFSET(TfMonth
, TIME_FIELDS
, Month
),
709 OFFSET(TfDay
, TIME_FIELDS
, Day
),
710 OFFSET(TfHour
, TIME_FIELDS
, Hour
),
711 OFFSET(TfMinute
, TIME_FIELDS
, Minute
),
712 OFFSET(TfSecond
, TIME_FIELDS
, Second
),
713 OFFSET(TfMilliseconds
, TIME_FIELDS
, Milliseconds
),
714 OFFSET(TfWeekday
, TIME_FIELDS
, Weekday
),
717 OFFSET(ThType
, KTHREAD
, Header
.Type
),
718 OFFSET(ThLock
, KTHREAD
, Header
.Lock
),
719 OFFSET(ThSize
, KTHREAD
, Header
.Size
),
720 OFFSET(ThThreadControlFlags
, KTHREAD
, Header
.ThreadControlFlags
),
721 OFFSET(ThDebugActive
, KTHREAD
, Header
.DebugActive
),
722 OFFSET(ThSignalState
, KTHREAD
, Header
.SignalState
),
723 OFFSET(ThInitialStack
, KTHREAD
, InitialStack
),
724 OFFSET(ThStackLimit
, KTHREAD
, StackLimit
),
725 OFFSET(ThStackBase
, KTHREAD
, StackBase
),
726 OFFSET(ThThreadLock
, KTHREAD
, ThreadLock
),
727 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
728 OFFSET(ThCycleTime
, KTHREAD
, CycleTime
),
730 OFFSET(ThHighCycleTime
, KTHREAD
, HighCycleTime
),
732 #endif /* (NTDDI_VERSION >= NTDDI_LONGHORN) */
734 OFFSET(ThServiceTable
, KTHREAD
, ServiceTable
),
736 //OFFSET(ThCurrentRunTime, KTHREAD, CurrentRunTime),
737 //OFFSET(ThStateSaveArea, KTHREAD, StateSaveArea), // 0x3C not arm
738 OFFSET(ThKernelStack
, KTHREAD
, KernelStack
),
739 #if (NTDDI_VERSION >= NTDDI_WIN7)
740 OFFSET(ThRunning
, KTHREAD
, Running
),
741 #endif /* (NTDDI_VERSION >= NTDDI_WIN7) */
742 OFFSET(ThAlerted
, KTHREAD
, Alerted
),
743 #if (NTDDI_VERSION >= NTDDI_WIN7)
744 OFFSET(ThMiscFlags
, KTHREAD
, MiscFlags
),
745 #endif /* (NTDDI_VERSION >= NTDDI_WIN7) */
746 OFFSET(ThThreadFlags
, KTHREAD
, ThreadFlags
),
747 #if (NTDDI_VERSION >= NTDDI_LONGHORN)
748 OFFSET(ThSystemCallNumber
, KTHREAD
, SystemCallNumber
),
749 #endif /* (NTDDI_VERSION >= NTDDI_LONGHORN) */
750 //OFFSET(ThFirstArgument, KTHREAD, FirstArgument),
751 OFFSET(ThTrapFrame
, KTHREAD
, TrapFrame
),
752 OFFSET(ThApcState
, KTHREAD
, ApcState
),
753 OFFSET(ThPriority
, KTHREAD
, Priority
),
754 OFFSET(ThContextSwitches
, KTHREAD
, ContextSwitches
),
755 OFFSET(ThState
, KTHREAD
, State
),
756 OFFSET(ThNpxState
, KTHREAD
, NpxState
),
757 OFFSET(ThWaitIrql
, KTHREAD
, WaitIrql
),
758 OFFSET(ThWaitMode
, KTHREAD
, WaitMode
),
759 OFFSET(ThTeb
, KTHREAD
, Teb
),
760 OFFSET(ThTimer
, KTHREAD
, Timer
),
761 OFFSET(ThWin32Thread
, KTHREAD
, Win32Thread
),
762 OFFSET(ThWaitTime
, KTHREAD
, WaitTime
),
763 OFFSET(ThCombinedApcDisable
, KTHREAD
, CombinedApcDisable
),
764 OFFSET(ThKernelApcDisable
, KTHREAD
, KernelApcDisable
),
765 OFFSET(ThSpecialApcDisable
, KTHREAD
, SpecialApcDisable
),
767 //OFFSET(ThVfpState, KTHREAD, VfpState),
769 OFFSET(ThNextProcessor
, KTHREAD
, NextProcessor
),
770 OFFSET(ThProcess
, KTHREAD
, Process
),
771 OFFSET(ThPreviousMode
, KTHREAD
, PreviousMode
),
772 OFFSET(ThPriorityDecrement
, KTHREAD
, PriorityDecrement
),
773 OFFSET(ThAdjustReason
, KTHREAD
, AdjustReason
),
774 OFFSET(ThAdjustIncrement
, KTHREAD
, AdjustIncrement
),
775 OFFSET(ThAffinity
, KTHREAD
, Affinity
),
776 OFFSET(ThApcStateIndex
, KTHREAD
, ApcStateIndex
),
777 OFFSET(ThIdealProcessor
, KTHREAD
, IdealProcessor
),
778 OFFSET(ThApcStatePointer
, KTHREAD
, ApcStatePointer
),
779 OFFSET(ThSavedApcState
, KTHREAD
, SavedApcState
),
780 OFFSET(ThWaitReason
, KTHREAD
, WaitReason
),
781 OFFSET(ThSaturation
, KTHREAD
, Saturation
),
782 OFFSET(ThLegoData
, KTHREAD
, LegoData
),
783 //#if defined(_M_ARM) && (NTDDI_VERSION >= NTDDI_WIN10)
784 //#define ThUserRoBase 0x434
785 //#define ThUserRwBase 0x438
788 OFFSET(ThSListFaultCount
, KTHREAD
, WaitReason
), // 0x18E
789 OFFSET(ThSListFaultAddress
, KTHREAD
, WaitReason
), // 0x10
791 #if defined(_M_IX86) || defined(_M_AMD64)
792 OFFSET(ThUserFsBase
, KTHREAD
, WaitReason
), // 0x434
793 OFFSET(ThUserGsBase
, KTHREAD
, WaitReason
), // 0x438
795 SIZE(KernelThreadObjectLength
, KTHREAD
),
798 OFFSET(TiType
, KTIMER
, Header
.Type
),
799 OFFSET(TiSize
, KTIMER
, Header
.Size
),
800 #if (NTDDI_VERSION < NTDDI_WIN7)
801 OFFSET(TiInserted
, KTIMER
, Header
.Inserted
),
803 OFFSET(TiSignalState
, KTIMER
, Header
.SignalState
),
804 OFFSET(TiDueTime
, KTIMER
, DueTime
),
805 OFFSET(TiTimerListEntry
, KTIMER
, TimerListEntry
),
806 OFFSET(TiDpc
, KTIMER
, Dpc
),
807 OFFSET(TiPeriod
, KTIMER
, Period
),
808 SIZE(TimerObjectLength
, KTIMER
),
811 OFFSET(TmLowTime
, TIME
, LowTime
),
812 OFFSET(TmHighTime
, TIME
, HighTime
),
814 HEADER("SYSTEM_CONTEXT_SWITCH_INFORMATION (relative to FindAny)"),
815 RELOFFSET(TwFindAny
, SYSTEM_CONTEXT_SWITCH_INFORMATION
, FindAny
, FindAny
),
816 RELOFFSET(TwFindIdeal
, SYSTEM_CONTEXT_SWITCH_INFORMATION
, FindIdeal
, FindAny
),
817 RELOFFSET(TwFindLast
, SYSTEM_CONTEXT_SWITCH_INFORMATION
, FindLast
, FindAny
),
818 RELOFFSET(TwIdleAny
, SYSTEM_CONTEXT_SWITCH_INFORMATION
, IdleAny
, FindAny
),
819 RELOFFSET(TwIdleCurrent
, SYSTEM_CONTEXT_SWITCH_INFORMATION
, IdleCurrent
, FindAny
),
820 RELOFFSET(TwIdleIdeal
, SYSTEM_CONTEXT_SWITCH_INFORMATION
, IdleIdeal
, FindAny
),
821 RELOFFSET(TwIdleLast
, SYSTEM_CONTEXT_SWITCH_INFORMATION
, IdleLast
, FindAny
),
822 RELOFFSET(TwPreemptAny
, SYSTEM_CONTEXT_SWITCH_INFORMATION
, PreemptAny
, FindAny
),
823 RELOFFSET(TwPreemptCurrent
, SYSTEM_CONTEXT_SWITCH_INFORMATION
, PreemptCurrent
, FindAny
),
824 RELOFFSET(TwPreemptLast
, SYSTEM_CONTEXT_SWITCH_INFORMATION
, PreemptLast
, FindAny
),
825 RELOFFSET(TwSwitchToIdle
, SYSTEM_CONTEXT_SWITCH_INFORMATION
, SwitchToIdle
, FindAny
),
827 HEADER("KUSER_SHARED_DATA"),
828 OFFSET(UsTickCountMultiplier
, KUSER_SHARED_DATA
, TickCountMultiplier
), // 0x4
829 OFFSET(UsInterruptTime
, KUSER_SHARED_DATA
, InterruptTime
), // 0x8
830 OFFSET(UsSystemTime
, KUSER_SHARED_DATA
, SystemTime
), // 0x14
831 OFFSET(UsTimeZoneBias
, KUSER_SHARED_DATA
, TimeZoneBias
), // 0x20
832 OFFSET(UsImageNumberLow
, KUSER_SHARED_DATA
, ImageNumberLow
),
833 OFFSET(UsImageNumberHigh
, KUSER_SHARED_DATA
, ImageNumberHigh
),
834 OFFSET(UsNtSystemRoot
, KUSER_SHARED_DATA
, NtSystemRoot
),
835 OFFSET(UsMaxStackTraceDepth
, KUSER_SHARED_DATA
, MaxStackTraceDepth
),
836 OFFSET(UsCryptoExponent
, KUSER_SHARED_DATA
, CryptoExponent
),
837 OFFSET(UsTimeZoneId
, KUSER_SHARED_DATA
, TimeZoneId
),
838 OFFSET(UsLargePageMinimum
, KUSER_SHARED_DATA
, LargePageMinimum
),
839 //#if (NTDDI_VERSION >= NTDDI_WIN10)
840 //OFFSET(UsNtBuildNumber, KUSER_SHARED_DATA, NtBuildNumber),
842 OFFSET(UsReserved2
, KUSER_SHARED_DATA
, Reserved2
),
844 OFFSET(UsNtProductType
, KUSER_SHARED_DATA
, NtProductType
),
845 OFFSET(UsProductTypeIsValid
, KUSER_SHARED_DATA
, ProductTypeIsValid
),
846 OFFSET(UsNtMajorVersion
, KUSER_SHARED_DATA
, NtMajorVersion
),
847 OFFSET(UsNtMinorVersion
, KUSER_SHARED_DATA
, NtMinorVersion
),
848 OFFSET(UsProcessorFeatures
, KUSER_SHARED_DATA
, ProcessorFeatures
),
849 OFFSET(UsReserved1
, KUSER_SHARED_DATA
, Reserved1
),
850 OFFSET(UsReserved3
, KUSER_SHARED_DATA
, Reserved3
),
851 OFFSET(UsTimeSlip
, KUSER_SHARED_DATA
, TimeSlip
),
852 OFFSET(UsAlternativeArchitecture
, KUSER_SHARED_DATA
, AlternativeArchitecture
),
853 OFFSET(UsSystemExpirationDate
, KUSER_SHARED_DATA
, SystemExpirationDate
), // not arm
854 OFFSET(UsSuiteMask
, KUSER_SHARED_DATA
, SuiteMask
),
855 OFFSET(UsKdDebuggerEnabled
, KUSER_SHARED_DATA
, KdDebuggerEnabled
),
856 OFFSET(UsActiveConsoleId
, KUSER_SHARED_DATA
, ActiveConsoleId
),
857 OFFSET(UsDismountCount
, KUSER_SHARED_DATA
, DismountCount
),
858 OFFSET(UsComPlusPackage
, KUSER_SHARED_DATA
, ComPlusPackage
),
859 OFFSET(UsLastSystemRITEventTickCount
, KUSER_SHARED_DATA
, LastSystemRITEventTickCount
),
860 OFFSET(UsNumberOfPhysicalPages
, KUSER_SHARED_DATA
, NumberOfPhysicalPages
),
861 OFFSET(UsSafeBootMode
, KUSER_SHARED_DATA
, SafeBootMode
),
862 OFFSET(UsTestRetInstruction
, KUSER_SHARED_DATA
, TestRetInstruction
),
863 OFFSET(UsSystemCall
, KUSER_SHARED_DATA
, SystemCall
), // not in win10
864 OFFSET(UsSystemCallReturn
, KUSER_SHARED_DATA
, SystemCallReturn
), // not in win10
865 OFFSET(UsSystemCallPad
, KUSER_SHARED_DATA
, SystemCallPad
),
866 OFFSET(UsTickCount
, KUSER_SHARED_DATA
, TickCount
),
867 OFFSET(UsTickCountQuad
, KUSER_SHARED_DATA
, TickCountQuad
),
868 OFFSET(UsWow64SharedInformation
, KUSER_SHARED_DATA
, Wow64SharedInformation
), // not in win10
869 //OFFSET(UsXState, KUSER_SHARED_DATA, XState), // win 10
871 HEADER("KWAIT_BLOCK offsets"),
872 OFFSET(WbWaitListEntry
, KWAIT_BLOCK
, WaitListEntry
),
873 OFFSET(WbThread
, KWAIT_BLOCK
, Thread
),
874 OFFSET(WbObject
, KWAIT_BLOCK
, Object
),
875 OFFSET(WbNextWaitBlock
, KWAIT_BLOCK
, NextWaitBlock
), // not in win10
876 OFFSET(WbWaitKey
, KWAIT_BLOCK
, WaitKey
),
877 OFFSET(WbWaitType
, KWAIT_BLOCK
, WaitType
),
881 //OFFSET(IbCfgBitMap, ????, CfgBitMap),
882 CONSTANT(Win32BatchFlushCallout
0x7
885 #define CmThreadEnvironmentBlockOffset 0x1000
887 ; Process Parameters Block Structure Offset Definitions
891 // Extended context structure offset definitions
892 #define CxxLegacyOffset 0x8
893 #define CxxLegacyLength 0xc
894 #define CxxXStateOffset 0x10
895 #define CxxXStateLength 0x14
898 ; Bounds Callback Status Code Definitions
899 BoundExceptionContinueSearch equ
00000H
900 BoundExceptionHandled equ
00001H
901 BoundExceptionError equ
00002H
905 ; Enlightenment structure definitions
906 HeEnlightenments equ
00000H
907 HeHypervisorConnected equ
00004H
908 HeEndOfInterrupt equ
00008H
909 HeApicWriteIcr equ
0000CH
910 HeSpinCountMask equ
00014H
911 HeLongSpinWait equ
00018H
915 #define AffinityExLength 0xc // not i386