typedef struct _KDPC { 0 CSHORT Type; 2 UCHAR Number; 3 UCHAR Importance; 4 LIST_ENTRY DpcListEntry; C PKDEFERRED_ROUTINE DeferredRoutine; 10 PVOID DeferredContext; 14 PVOID SystemArgument1; 18 PVOID SystemArgument2; 1C PULONG_PTR Lock; } KDPC, *PKDPC, *RESTRICTED_POINTER PRKDPC; typedef struct _KPCR { /*000*/ NT_TIB NtTib; /*01C*/ struct _KPCR *SelfPcr; // flat address of this PCR /*020*/ PKPRCB Prcb; /*024*/ KIRQL Irql; /*028*/ DWORD IRR; /*02C*/ DWORD IrrActive; /*030*/ DWORD IDR; /*034*/ DWORD Reserved2; /*038*/ struct _KIDTENTRY *IDT; /*03C*/ struct _KGDTENTRY *GDT; /*040*/ struct _TSS *TSS; /*044*/ WORD MajorVersion; /*046*/ WORD MinorVersion; /*048*/ KAFFINITY SetMember; /*04C*/ DWORD StallScaleFactor; /*050*/ BYTE DebugActive; /*051*/ BYTE Number; /*???*/ } KPCR, *PKPCR; typedef struct _KPRCB { /*000*/ USHORT MinorVersion; /*002*/ USHORT MajorVersion; /*004*/ PKTHREAD CurrentThread; /*008*/ PKTHREAD NextThread; /*00C*/ PKTHREAD IdleThread; /*010*/ CCHAR Number; /*011*/ CCHAR WakeIdle; /*012*/ USHORT BuildType; /*014*/ KAFFINITY SetMember; /*018*/ PRESTART_BLOCK RestartBlock; /*01C*/ PDWORD PcrPage; /*020*/ DWORD Spare0[4]; /*030*/ DWORD ProcessorModel; /*034*/ DWORD ProcessorRevision; /*038*/ DWORD ProcessorFamily; /*03C*/ DWORD ProcessorArchRev; /*044*/ DWORDLONG ProcessorSerialNumber; /*04C*/ DWORDLONG ProcessorFeatureBits; /*054*/ UCHAR ProcessorVendorString[16]; /*064*/ DWORDLONG SystemReserved[8]; /*0A4*/ DWORDLONG HalReserved[16]; /*154*/ } KPRCB, *PKPRCB; struct _KPCR (sizeof=2832) +000 struct _NT_TIB NtTib +000 struct _EXCEPTION_REGISTRATION_RECORD *ExceptionList +004 void *StackBase +008 void *StackLimit +00c void *SubSystemTib +010 void *FiberData +010 uint32 Version +014 void *ArbitraryUserPointer +018 struct _NT_TIB *Self +01c struct _KPCR *SelfPcr +020 struct _KPRCB *Prcb +024 byte Irql +028 uint32 IRR +02c uint32 IrrActive +030 uint32 IDR +034 uint32 Reserved2 +038 struct _KIDTENTRY *IDT +03c struct _KGDTENTRY *GDT +040 struct _KTSS *TSS +044 uint16 MajorVersion +046 uint16 MinorVersion +048 uint32 SetMember +04c uint32 StallScaleFactor +050 byte DebugActive +051 byte Number +052 byte VdmAlert +053 byte Reserved[1] +054 uint32 KernelReserved[15] +090 uint32 SecondLevelCacheSize +094 uint32 HalReserved[16] +0d4 uint32 InterruptMode +0d8 byte Spare1 +0dc uint32 KernelReserved2[17] +120 struct _KPRCB PrcbData +120 uint16 MinorVersion +122 uint16 MajorVersion +124 struct _KTHREAD *CurrentThread +128 struct _KTHREAD *NextThread +12c struct _KTHREAD *IdleThread +130 char Number +131 char Reserved +132 uint16 BuildType +134 uint32 SetMember +138 char CpuType +139 char CpuID +13a uint16 CpuStep +13c struct _KPROCESSOR_STATE ProcessorState +13c struct _CONTEXT ContextFrame +13c uint32 ContextFlags +140 uint32 Dr0 +144 uint32 Dr1 +148 uint32 Dr2 +14c uint32 Dr3 +150 uint32 Dr6 +154 uint32 Dr7 +158 struct _FLOATING_SAVE_AREA FloatSave +158 uint32 ControlWord +15c uint32 StatusWord +160 uint32 TagWord +164 uint32 ErrorOffset +168 uint32 ErrorSelector +16c uint32 DataOffset +170 uint32 DataSelector +174 byte RegisterArea[80] +1c4 uint32 Cr0NpxState +1c8 uint32 SegGs +1cc uint32 SegFs +1d0 uint32 SegEs +1d4 uint32 SegDs +1d8 uint32 Edi +1dc uint32 Esi +1e0 uint32 Ebx +1e4 uint32 Edx +1e8 uint32 Ecx +1ec uint32 Eax +1f0 uint32 Ebp +1f4 uint32 Eip +1f8 uint32 SegCs +1fc uint32 EFlags +200 uint32 Esp +204 uint32 SegSs +208 byte ExtendedRegisters[512] +408 struct _KSPECIAL_REGISTERS SpecialRegisters +408 uint32 Cr0 +40c uint32 Cr2 +410 uint32 Cr3 +414 uint32 Cr4 +418 uint32 KernelDr0 +41c uint32 KernelDr1 +420 uint32 KernelDr2 +424 uint32 KernelDr3 +428 uint32 KernelDr6 +42c uint32 KernelDr7 +430 struct _DESCRIPTOR Gdtr +430 uint16 Pad +432 uint16 Limit +434 uint32 Base +438 struct _DESCRIPTOR Idtr +438 uint16 Pad +43a uint16 Limit +43c uint32 Base +440 uint16 Tr +442 uint16 Ldtr +444 uint32 Reserved[6] +45c uint32 KernelReserved[16] +49c uint32 HalReserved[16] +4dc struct _KSPIN_LOCK_QUEUE LockQueue[16] struct _KSPIN_LOCK_QUEUE *Next uint32 *Lock +55c struct _KTHREAD *NpxThread +560 uint32 InterruptCount +564 uint32 KernelTime +568 uint32 UserTime +56c uint32 DpcTime +570 uint32 InterruptTime +574 uint32 ApcBypassCount +578 uint32 DpcBypassCount +57c uint32 AdjustDpcThreshold +580 uint32 DebugDpcTime +584 uint32 Spare2[4] +594 uint32 ThreadStartCount[2] +59c void *SpareHotData[2] +5a4 uint32 CcFastReadNoWait +5a8 uint32 CcFastReadWait +5ac uint32 CcFastReadNotPossible +5b0 uint32 CcCopyReadNoWait +5b4 uint32 CcCopyReadWait +5b8 uint32 CcCopyReadNoWaitMiss +5bc uint32 KeAlignmentFixupCount +5c0 uint32 KeContextSwitches +5c4 uint32 KeDcacheFlushCount +5c8 uint32 KeExceptionDispatchCount +5cc uint32 KeFirstLevelTbFills +5d0 uint32 KeFloatingEmulationCount +5d4 uint32 KeIcacheFlushCount +5d8 uint32 KeSecondLevelTbFills +5dc uint32 KeSystemCalls +5e0 uint32 ReservedCounter[8] +600 void *SmallIrpFreeEntry +604 void *LargeIrpFreeEntry +608 void *MdlFreeEntry +60c void *CreateInfoFreeEntry +610 void *NameBufferFreeEntry +614 void *SharedCacheMapEntry +618 uint32 CachePad0[2] +620 struct _PP_LOOKASIDE_LIST PPLookasideList[16] struct _NPAGED_LOOKASIDE_LIST *P struct _NPAGED_LOOKASIDE_LIST *L +6a0 struct _PP_LOOKASIDE_LIST PPNPagedLookasideList[8] struct _NPAGED_LOOKASIDE_LIST *P struct _NPAGED_LOOKASIDE_LIST *L +6e0 struct _PP_LOOKASIDE_LIST PPPagedLookasideList[8] struct _NPAGED_LOOKASIDE_LIST *P struct _NPAGED_LOOKASIDE_LIST *L +720 byte ReservedPad[128] +7a0 void *CurrentPacket[3] +7ac uint32 TargetSet +7b0 function *WorkerRoutine +7b4 uint32 IpiFrozen +7b8 uint32 CachePad1[2] +7c0 uint32 RequestSummary +7c4 struct _KPRCB *SignalDone +7c8 uint32 ReverseStall +7cc void *IpiFrame +7d0 uint32 CachePad2[4] +7e0 uint32 DpcInterruptRequested +7e4 void *ChainedInterruptList +7e8 uint32 CachePad3[2] +7f0 uint32 MaximumDpcQueueDepth +7f4 uint32 MinimumDpcRate +7f8 uint32 CachePad4[2] +800 struct _LIST_ENTRY DpcListHead +800 struct _LIST_ENTRY *Flink +804 struct _LIST_ENTRY *Blink +808 uint32 DpcQueueDepth +80c uint32 DpcRoutineActive +810 uint32 DpcCount +814 uint32 DpcLastCount +818 uint32 DpcRequestRate +81c void *DpcStack +820 uint32 KernelReserved2[10] +848 uint32 DpcLock +84c byte SkipTick +84d byte VendorString[13] +85c uint32 MHz +860 uint32 FeatureBits +868 union _LARGE_INTEGER UpdateSignature +868 uint32 LowPart +86c int32 HighPart +868 struct __unnamed3 u +868 uint32 LowPart +86c int32 HighPart +868 int64 QuadPart +870 uint32 QuantumEnd +878 struct _PROCESSOR_POWER_STATE PowerState +878 function *IdleFunction +87c uint32 Idle0KernelTimeLimit +880 uint32 Idle0LastTime +884 void *IdleState +888 uint64 LastCheck +890 struct PROCESSOR_IDLE_TIMES IdleTimes +890 uint64 StartTime +898 uint64 EndTime +8a0 uint32 IdleHandlerReserved[4] +8b0 uint32 IdleTime1 +8b4 uint32 PromotionCheck +8b8 uint32 IdleTime2 +8bc byte CurrentThrottle +8bd byte ThrottleLimit +8be byte Spare1[2] +8c0 uint32 SetMember +8c4 void *AbortThrottle +8c8 uint64 DebugDelta +8d0 uint32 DebugCount +8d4 uint32 LastSysTime +8d8 uint32 Spare2[10] +900 struct _FX_SAVE_AREA NpxSaveArea +900 union __unnamed63 U +900 struct _FNSAVE_FORMAT FnArea +900 uint32 ControlWord +904 uint32 StatusWord +908 uint32 TagWord +90c uint32 ErrorOffset +910 uint32 ErrorSelector +914 uint32 DataOffset +918 uint32 DataSelector +91c byte RegisterArea[80] +900 struct _FXSAVE_FORMAT FxArea +900 uint16 ControlWord +902 uint16 StatusWord +904 uint16 TagWord +906 uint16 ErrorOpcode +908 uint32 ErrorOffset +90c uint32 ErrorSelector +910 uint32 DataOffset +914 uint32 DataSelector +918 uint32 MXCsr +91c uint32 Reserved2 +920 byte RegisterArea[128] +9a0 byte Reserved3[128] +a20 byte Reserved4[224] +b00 byte Align16Byte[8] +b08 uint32 NpxSavedCpu +b0c uint32 Cr0NpxState typedef struct _KAPC_STATE { LIST_ENTRY ApcListHead[2]; DWORD Process; BOOLEAN KernelApcInProgress; BOOLEAN KernelApcPending; BOOLEAN UserApcPending; } KAPC_STATE, *PKAPC_STATE; typedef struct _KTHREAD { /*000*/ DISPATCHER_HEADER Header; // DO_TYPE_THREAD (0x6C) /*010*/ LIST_ENTRY MutantListHead; /*018*/ PVOID InitialStack; /*01C*/ PVOID StackLimit; /*020*/ struct _TEB *Teb; /*024*/ PVOID TlsArray; /*028*/ PVOID KernelStack; /*02C*/ BOOLEAN DebugActive; /*02D*/ BYTE State; // THREAD_STATE_* /*02E*/ BYTE Alerted[2]; /*030*/ BYTE Iopl; /*031*/ BYTE NpxState; /*032*/ BYTE Saturation; /*033*/ BYTE Priority; /*034*/ KAPC_STATE ApcState; /*04C*/ DWORD ContextSwitches; /*050*/ DWORD WaitStatus; /*054*/ BYTE WaitIrql; /*055*/ BYTE WaitMode; /*056*/ BYTE WaitNext; /*057*/ BYTE WaitReason; /*058*/ PLIST_ENTRY WaitBlockList; /*05C*/ LIST_ENTRY WaitListEntry; // see KiDispatcherReadyListHead /*064*/ DWORD WaitTime; /*068*/ BYTE BasePriority; /*069*/ BYTE DecrementCount; /*06A*/ BYTE PriorityDecrement; /*06B*/ BYTE Quantum; /*06C*/ KWAIT_BLOCK WaitBlock[4]; /*0CC*/ DWORD LegoData; /*0D0*/ DWORD KernelApcDisable; /*0D4*/ KAFFINITY UserAffinity; /*0D8*/ BOOLEAN SystemAffinityActive; /*0D9*/ BYTE PowerState; /*0DA*/ BYTE NpxIrql; /*0DB*/ BYTE Pad; /*0DC*/ DWORD ServiceDescriptorTable; /*0E0*/ PVOID Queue; /*0E4*/ PVOID ApcQueueLock; /*0E8*/ KTIMER Timer; /*110*/ LIST_ENTRY QueueListEntry; /*118*/ KAFFINITY Affinity; /*11C*/ BOOLEAN Preempted; /*11D*/ BOOLEAN ProcessReadyQueue; /*11E*/ BOOLEAN KernelStackResident; /*11F*/ BYTE NextProcessor; /*120*/ PVOID CallbackStack; /*124*/ DWORD Win32Thread; /*128*/ DWORD TrapFrame; /*12C*/ DWORD ApcStatePointer[2]; /*134*/ KPROCESSOR_MODE PreviousMode; /*135*/ BOOLEAN EnableStackSwap; /*136*/ BOOLEAN LargeStack; /*137*/ BYTE ResourceIndex; /*138*/ DWORD KernelTime; // ticks /*13C*/ DWORD UserTime; // ticks /*140*/ DWORD SavedApcState[6]; /*158*/ BOOLEAN Alertable; /*159*/ BYTE ApcStateIndex; /*15A*/ BOOLEAN ApcQueueable; /*15B*/ BOOLEAN AutoAlignment; /*15C*/ PVOID StackBase; /*160*/ KAPC SuspendApc; /*190*/ KSEMAPHORE SuspendSemaphore; /*1A4*/ LIST_ENTRY ThreadListEntry; // see KPROCESS /*1AC*/ BYTE FreezeCount; /*1AD*/ BYTE SuspendCount; /*1AE*/ BYTE IdealProcessor; /*1AF*/ BOOLEAN DisableBoost; /*1B0*/ // ... } KTHREAD, *PKTHREAD;