Awesome
This projects collects my notes while studying the Windows internals. It is divided as follows:
- Sources:
- SkeletonDriver : empty driver
- DispatchPassThru : major function dispatch routine example
- DispatchIoctl : IOCTL dispatch routine example
- FSFilterDriver: : Legacy file system filter driver using Fast I/O.
- Books:
- Windows NT Device Driver Development by Peter G. Viscarola and W. Anthony Mason (resumed version)
- Windows Internals 6th edition by Mark E. Russinovich, David A. Solomon and Alex Ionescu (resumed version)
Important Windows Structures
<details><summary> _DRIVER_OBJECT :</summary>kd> dt nt!_DRIVER_OBJECT
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x004 DeviceObject : Ptr32 _DEVICE_OBJECT
+0x008 Flags : Uint4B
+0x00c DriverStart : Ptr32 Void
+0x010 DriverSize : Uint4B
+0x014 DriverSection : Ptr32 Void
+0x018 DriverExtension : Ptr32 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING
+0x024 HardwareDatabase : Ptr32 _UNICODE_STRING
+0x028 FastIoDispatch : Ptr32 _FAST_IO_DISPATCH
+0x02c DriverInit : Ptr32 long
+0x030 DriverStartIo : Ptr32 void
+0x034 DriverUnload : Ptr32 void
+0x038 MajorFunction : [28] Ptr32 long
kd> dt nt!_DEVICE_OBJECT
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 ReferenceCount : Int4B
+0x008 DriverObject : Ptr32 _DRIVER_OBJECT
+0x00c NextDevice : Ptr32 _DEVICE_OBJECT
+0x010 AttachedDevice : Ptr32 _DEVICE_OBJECT
+0x014 CurrentIrp : Ptr32 _IRP
+0x018 Timer : Ptr32 _IO_TIMER
+0x01c Flags : Uint4B
+0x020 Characteristics : Uint4B
+0x024 Vpb : Ptr32 _VPB
+0x028 DeviceExtension : Ptr32 Void
+0x02c DeviceType : Uint4B
+0x030 StackSize : Char
+0x034 Queue : <unnamed-tag>
+0x05c AlignmentRequirement : Uint4B
+0x060 DeviceQueue : _KDEVICE_QUEUE
+0x074 Dpc : _KDPC
+0x094 ActiveThreadCount : Uint4B
+0x098 SecurityDescriptor : Ptr32 Void
+0x09c DeviceLock : _KEVENT
+0x0ac SectorSize : Uint2B
+0x0ae Spare1 : Uint2B
+0x0b0 DeviceObjectExtension : Ptr32 _DEVOBJ_EXTENSION
+0x0b4 Reserved : Ptr32 Void
kd> dt nt!_IRP
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 MdlAddress : Ptr32 _MDL
+0x008 Flags : Uint4B
+0x00c AssociatedIrp : <unnamed-tag>
+0x010 ThreadListEntry : _LIST_ENTRY
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : Char
+0x021 PendingReturned : UChar
+0x022 StackCount : Char
+0x023 CurrentLocation : Char
+0x024 Cancel : UChar
+0x025 CancelIrql : UChar
+0x026 ApcEnvironment : Char
+0x027 AllocationFlags : UChar
+0x028 UserIosb : Ptr32 _IO_STATUS_BLOCK
+0x02c UserEvent : Ptr32 _KEVENT
+0x030 Overlay : <unnamed-tag>
+0x038 CancelRoutine : Ptr32 void
+0x03c UserBuffer : Ptr32 Void
+0x040 Tail : <unnamed-tag>
kd> dt nt!_IO_STACK_LOCATION
+0x000 MajorFunction : UChar
+0x001 MinorFunction : UChar
+0x002 Flags : UChar
+0x003 Control : UChar
+0x004 Parameters : <unnamed-tag>
+0x014 DeviceObject : Ptr32 _DEVICE_OBJECT
+0x018 FileObject : Ptr32 _FILE_OBJECT
+0x01c CompletionRoutine : Ptr32 long
+0x020 Context : Ptr32 Void
kd> dt nt!_KPCR
+0x000 NtTib : _NT_TIB
+0x000 Used_ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD
+0x004 Used_StackBase : Ptr32 Void
+0x008 Spare2 : Ptr32 Void
+0x00c TssCopy : Ptr32 Void
+0x010 ContextSwitches : Uint4B
+0x014 SetMemberCopy : Uint4B
+0x018 Used_Self : Ptr32 Void
+0x01c SelfPcr : Ptr32 _KPCR
+0x020 Prcb : Ptr32 _KPRCB
+0x024 Irql : UChar
+0x028 IRR : Uint4B
+0x02c IrrActive : Uint4B
+0x030 IDR : Uint4B
+0x034 KdVersionBlock : Ptr32 Void
+0x038 IDT : Ptr32 _KIDTENTRY
+0x03c GDT : Ptr32 _KGDTENTRY
+0x040 TSS : Ptr32 _KTSS
+0x044 MajorVersion : Uint2B
+0x046 MinorVersion : Uint2B
+0x048 SetMember : Uint4B
+0x04c StallScaleFactor : Uint4B
+0x050 SpareUnused : UChar
+0x051 Number : UChar
+0x052 Spare0 : UChar
+0x053 SecondLevelCacheAssociativity : UChar
+0x054 VdmAlert : Uint4B
+0x058 KernelReserved : [14] Uint4B
+0x090 SecondLevelCacheSize : Uint4B
+0x094 HalReserved : [16] Uint4B
+0x0d4 InterruptMode : Uint4B
+0x0d8 Spare1 : UChar
+0x0dc KernelReserved2 : [17] Uint4B
+0x120 PrcbData : _KPRCB
kd> dt nt!_KPRCB
+0x000 MinorVersion : Uint2B
+0x002 MajorVersion : Uint2B
+0x004 CurrentThread : Ptr32 _KTHREAD
+0x008 NextThread : Ptr32 _KTHREAD
+0x00c IdleThread : Ptr32 _KTHREAD
+0x010 LegacyNumber : UChar
+0x011 NestingLevel : UChar
+0x012 BuildType : Uint2B
+0x014 CpuType : Char
+0x015 CpuID : Char
+0x016 CpuStep : Uint2B
+0x016 CpuStepping : UChar
+0x017 CpuModel : UChar
+0x018 ProcessorState : _KPROCESSOR_STATE
+0x338 KernelReserved : [16] Uint4B
+0x378 HalReserved : [16] Uint4B
+0x3b8 CFlushSize : Uint4B
+0x3bc CoresPerPhysicalProcessor : UChar
+0x3bd LogicalProcessorsPerCore : UChar
+0x3be PrcbPad0 : [2] UChar
+0x3c0 MHz : Uint4B
+0x3c4 CpuVendor : UChar
+0x3c5 GroupIndex : UChar
+0x3c6 Group : Uint2B
+0x3c8 GroupSetMember : Uint4B
+0x3cc Number : Uint4B
+0x3d0 PrcbPad1 : [72] UChar
+0x418 LockQueue : [17] _KSPIN_LOCK_QUEUE
+0x4a0 NpxThread : Ptr32 _KTHREAD
+0x4a4 InterruptCount : Uint4B
+0x4a8 KernelTime : Uint4B
+0x4ac UserTime : Uint4B
+0x4b0 DpcTime : Uint4B
+0x4b4 DpcTimeCount : Uint4B
+0x4b8 InterruptTime : Uint4B
+0x4bc AdjustDpcThreshold : Uint4B
+0x4c0 PageColor : Uint4B
+0x4c4 DebuggerSavedIRQL : UChar
+0x4c5 NodeColor : UChar
+0x4c6 PrcbPad20 : [2] UChar
+0x4c8 NodeShiftedColor : Uint4B
+0x4cc ParentNode : Ptr32 _KNODE
+0x4d0 SecondaryColorMask : Uint4B
+0x4d4 DpcTimeLimit : Uint4B
+0x4d8 PrcbPad21 : [2] Uint4B
+0x4e0 CcFastReadNoWait : Uint4B
+0x4e4 CcFastReadWait : Uint4B
+0x4e8 CcFastReadNotPossible : Uint4B
+0x4ec CcCopyReadNoWait : Uint4B
+0x4f0 CcCopyReadWait : Uint4B
+0x4f4 CcCopyReadNoWaitMiss : Uint4B
+0x4f8 MmSpinLockOrdering : Int4B
+0x4fc IoReadOperationCount : Int4B
+0x500 IoWriteOperationCount : Int4B
+0x504 IoOtherOperationCount : Int4B
+0x508 IoReadTransferCount : _LARGE_INTEGER
+0x510 IoWriteTransferCount : _LARGE_INTEGER
+0x518 IoOtherTransferCount : _LARGE_INTEGER
+0x520 CcFastMdlReadNoWait : Uint4B
+0x524 CcFastMdlReadWait : Uint4B
+0x528 CcFastMdlReadNotPossible : Uint4B
+0x52c CcMapDataNoWait : Uint4B
+0x530 CcMapDataWait : Uint4B
+0x534 CcPinMappedDataCount : Uint4B
+0x538 CcPinReadNoWait : Uint4B
+0x53c CcPinReadWait : Uint4B
+0x540 CcMdlReadNoWait : Uint4B
+0x544 CcMdlReadWait : Uint4B
+0x548 CcLazyWriteHotSpots : Uint4B
+0x54c CcLazyWriteIos : Uint4B
+0x550 CcLazyWritePages : Uint4B
+0x554 CcDataFlushes : Uint4B
+0x558 CcDataPages : Uint4B
+0x55c CcLostDelayedWrites : Uint4B
+0x560 CcFastReadResourceMiss : Uint4B
+0x564 CcCopyReadWaitMiss : Uint4B
+0x568 CcFastMdlReadResourceMiss : Uint4B
+0x56c CcMapDataNoWaitMiss : Uint4B
+0x570 CcMapDataWaitMiss : Uint4B
+0x574 CcPinReadNoWaitMiss : Uint4B
+0x578 CcPinReadWaitMiss : Uint4B
+0x57c CcMdlReadNoWaitMiss : Uint4B
+0x580 CcMdlReadWaitMiss : Uint4B
+0x584 CcReadAheadIos : Uint4B
+0x588 KeAlignmentFixupCount : Uint4B
+0x58c KeExceptionDispatchCount : Uint4B
+0x590 KeSystemCalls : Uint4B
+0x594 AvailableTime : Uint4B
+0x598 PrcbPad22 : [2] Uint4B
+0x5a0 PPLookasideList : [16] _PP_LOOKASIDE_LIST
+0x620 PPNPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0xf20 PPPagedLookasideList : [32] _GENERAL_LOOKASIDE_POOL
+0x1820 PacketBarrier : Uint4B
+0x1824 ReverseStall : Int4B
+0x1828 IpiFrame : Ptr32 Void
+0x182c PrcbPad3 : [52] UChar
+0x1860 CurrentPacket : [3] Ptr32 Void
+0x186c TargetSet : Uint4B
+0x1870 WorkerRoutine : Ptr32 void
+0x1874 IpiFrozen : Uint4B
+0x1878 PrcbPad4 : [40] UChar
+0x18a0 RequestSummary : Uint4B
+0x18a4 SignalDone : Ptr32 _KPRCB
+0x18a8 PrcbPad50 : [56] UChar
+0x18e0 DpcData : [2] _KDPC_DATA
+0x1908 DpcStack : Ptr32 Void
+0x190c MaximumDpcQueueDepth : Int4B
+0x1910 DpcRequestRate : Uint4B
+0x1914 MinimumDpcRate : Uint4B
+0x1918 DpcLastCount : Uint4B
+0x191c PrcbLock : Uint4B
+0x1920 DpcGate : _KGATE
+0x1930 ThreadDpcEnable : UChar
+0x1931 QuantumEnd : UChar
+0x1932 DpcRoutineActive : UChar
+0x1933 IdleSchedule : UChar
+0x1934 DpcRequestSummary : Int4B
+0x1934 DpcRequestSlot : [2] Int2B
+0x1934 NormalDpcState : Int2B
+0x1936 DpcThreadActive : Pos 0, 1 Bit
+0x1936 ThreadDpcState : Int2B
+0x1938 TimerHand : Uint4B
+0x193c LastTick : Uint4B
+0x1940 MasterOffset : Int4B
+0x1944 PrcbPad41 : [2] Uint4B
+0x194c PeriodicCount : Uint4B
+0x1950 PeriodicBias : Uint4B
+0x1958 TickOffset : Uint8B
+0x1960 TimerTable : _KTIMER_TABLE
+0x31a0 CallDpc : _KDPC
+0x31c0 ClockKeepAlive : Int4B
+0x31c4 ClockCheckSlot : UChar
+0x31c5 ClockPollCycle : UChar
+0x31c6 PrcbPad6 : [2] UChar
+0x31c8 DpcWatchdogPeriod : Int4B
+0x31cc DpcWatchdogCount : Int4B
+0x31d0 ThreadWatchdogPeriod : Int4B
+0x31d4 ThreadWatchdogCount : Int4B
+0x31d8 KeSpinLockOrdering : Int4B
+0x31dc PrcbPad70 : [1] Uint4B
+0x31e0 WaitListHead : _LIST_ENTRY
+0x31e8 WaitLock : Uint4B
+0x31ec ReadySummary : Uint4B
+0x31f0 QueueIndex : Uint4B
+0x31f4 DeferredReadyListHead : _SINGLE_LIST_ENTRY
+0x31f8 StartCycles : Uint8B
+0x3200 CycleTime : Uint8B
+0x3208 HighCycleTime : Uint4B
+0x320c PrcbPad71 : Uint4B
+0x3210 PrcbPad72 : [2] Uint8B
+0x3220 DispatcherReadyListHead : [32] _LIST_ENTRY
+0x3320 ChainedInterruptList : Ptr32 Void
+0x3324 LookasideIrpFloat : Int4B
+0x3328 MmPageFaultCount : Int4B
+0x332c MmCopyOnWriteCount : Int4B
+0x3330 MmTransitionCount : Int4B
+0x3334 MmCacheTransitionCount : Int4B
+0x3338 MmDemandZeroCount : Int4B
+0x333c MmPageReadCount : Int4B
+0x3340 MmPageReadIoCount : Int4B
+0x3344 MmCacheReadCount : Int4B
+0x3348 MmCacheIoCount : Int4B
+0x334c MmDirtyPagesWriteCount : Int4B
+0x3350 MmDirtyWriteIoCount : Int4B
+0x3354 MmMappedPagesWriteCount : Int4B
+0x3358 MmMappedWriteIoCount : Int4B
+0x335c CachedCommit : Uint4B
+0x3360 CachedResidentAvailable : Uint4B
+0x3364 HyperPte : Ptr32 Void
+0x3368 PrcbPad8 : [4] UChar
+0x336c VendorString : [13] UChar
+0x3379 InitialApicId : UChar
+0x337a LogicalProcessorsPerPhysicalProcessor : UChar
+0x337b PrcbPad9 : [5] UChar
+0x3380 FeatureBits : Uint4B
+0x3388 UpdateSignature : _LARGE_INTEGER
+0x3390 IsrTime : Uint8B
+0x3398 RuntimeAccumulation : Uint8B
+0x33a0 PowerState : _PROCESSOR_POWER_STATE
+0x3468 DpcWatchdogDpc : _KDPC
+0x3488 DpcWatchdogTimer : _KTIMER
+0x34b0 WheaInfo : Ptr32 Void
+0x34b4 EtwSupport : Ptr32 Void
+0x34b8 InterruptObjectPool : _SLIST_HEADER
+0x34c0 HypercallPageList : _SLIST_HEADER
+0x34c8 HypercallPageVirtual : Ptr32 Void
+0x34cc VirtualApicAssist : Ptr32 Void
+0x34d0 StatisticsPage : Ptr32 Uint8B
+0x34d4 RateControl : Ptr32 Void
+0x34d8 Cache : [5] _CACHE_DESCRIPTOR
+0x3514 CacheCount : Uint4B
+0x3518 CacheProcessorMask : [5] Uint4B
+0x352c PackageProcessorSet : _KAFFINITY_EX
+0x3538 PrcbPad91 : [1] Uint4B
+0x353c CoreProcessorSet : Uint4B
+0x3540 TimerExpirationDpc : _KDPC
+0x3560 SpinLockAcquireCount : Uint4B
+0x3564 SpinLockContentionCount : Uint4B
+0x3568 SpinLockSpinCount : Uint4B
+0x356c IpiSendRequestBroadcastCount : Uint4B
+0x3570 IpiSendRequestRoutineCount : Uint4B
+0x3574 IpiSendSoftwareInterruptCount : Uint4B
+0x3578 ExInitializeResourceCount : Uint4B
+0x357c ExReInitializeResourceCount : Uint4B
+0x3580 ExDeleteResourceCount : Uint4B
+0x3584 ExecutiveResourceAcquiresCount : Uint4B
+0x3588 ExecutiveResourceContentionsCount : Uint4B
+0x358c ExecutiveResourceReleaseExclusiveCount : Uint4B
+0x3590 ExecutiveResourceReleaseSharedCount : Uint4B
+0x3594 ExecutiveResourceConvertsCount : Uint4B
+0x3598 ExAcqResExclusiveAttempts : Uint4B
+0x359c ExAcqResExclusiveAcquiresExclusive : Uint4B
+0x35a0 ExAcqResExclusiveAcquiresExclusiveRecursive : Uint4B
+0x35a4 ExAcqResExclusiveWaits : Uint4B
+0x35a8 ExAcqResExclusiveNotAcquires : Uint4B
+0x35ac ExAcqResSharedAttempts : Uint4B
+0x35b0 ExAcqResSharedAcquiresExclusive : Uint4B
+0x35b4 ExAcqResSharedAcquiresShared : Uint4B
+0x35b8 ExAcqResSharedAcquiresSharedRecursive : Uint4B
+0x35bc ExAcqResSharedWaits : Uint4B
+0x35c0 ExAcqResSharedNotAcquires : Uint4B
+0x35c4 ExAcqResSharedStarveExclusiveAttempts : Uint4B
+0x35c8 ExAcqResSharedStarveExclusiveAcquiresExclusive : Uint4B
+0x35cc ExAcqResSharedStarveExclusiveAcquiresShared : Uint4B
+0x35d0 ExAcqResSharedStarveExclusiveAcquiresSharedRecursive : Uint4B
+0x35d4 ExAcqResSharedStarveExclusiveWaits : Uint4B
+0x35d8 ExAcqResSharedStarveExclusiveNotAcquires : Uint4B
+0x35dc ExAcqResSharedWaitForExclusiveAttempts : Uint4B
+0x35e0 ExAcqResSharedWaitForExclusiveAcquiresExclusive : Uint4B
+0x35e4 ExAcqResSharedWaitForExclusiveAcquiresShared : Uint4B
+0x35e8 ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive : Uint4B
+0x35ec ExAcqResSharedWaitForExclusiveWaits : Uint4B
+0x35f0 ExAcqResSharedWaitForExclusiveNotAcquires : Uint4B
+0x35f4 ExSetResOwnerPointerExclusive : Uint4B
+0x35f8 ExSetResOwnerPointerSharedNew : Uint4B
+0x35fc ExSetResOwnerPointerSharedOld : Uint4B
+0x3600 ExTryToAcqExclusiveAttempts : Uint4B
+0x3604 ExTryToAcqExclusiveAcquires : Uint4B
+0x3608 ExBoostExclusiveOwner : Uint4B
+0x360c ExBoostSharedOwners : Uint4B
+0x3610 ExEtwSynchTrackingNotificationsCount : Uint4B
+0x3614 ExEtwSynchTrackingNotificationsAccountedCount : Uint4B
+0x3618 Context : Ptr32 _CONTEXT
+0x361c ContextFlags : Uint4B
+0x3620 ExtendedState : Ptr32 _XSAVE_AREA
kd> dt nt!_ETHREAD
+0x000 Tcb : _KTHREAD
+0x200 CreateTime : _LARGE_INTEGER
+0x208 ExitTime : _LARGE_INTEGER
+0x208 KeyedWaitChain : _LIST_ENTRY
+0x210 ExitStatus : Int4B
+0x214 PostBlockList : _LIST_ENTRY
+0x214 ForwardLinkShadow : Ptr32 Void
+0x218 StartAddress : Ptr32 Void
+0x21c TerminationPort : Ptr32 _TERMINATION_PORT
+0x21c ReaperLink : Ptr32 _ETHREAD
+0x21c KeyedWaitValue : Ptr32 Void
+0x220 ActiveTimerListLock : Uint4B
+0x224 ActiveTimerListHead : _LIST_ENTRY
+0x22c Cid : _CLIENT_ID
+0x234 KeyedWaitSemaphore : _KSEMAPHORE
+0x234 AlpcWaitSemaphore : _KSEMAPHORE
+0x248 ClientSecurity : _PS_CLIENT_SECURITY_CONTEXT
+0x24c IrpList : _LIST_ENTRY
+0x254 TopLevelIrp : Uint4B
+0x258 DeviceToVerify : Ptr32 _DEVICE_OBJECT
+0x25c CpuQuotaApc : Ptr32 _PSP_CPU_QUOTA_APC
+0x260 Win32StartAddress : Ptr32 Void
+0x264 LegacyPowerObject : Ptr32 Void
+0x268 ThreadListEntry : _LIST_ENTRY
+0x270 RundownProtect : _EX_RUNDOWN_REF
+0x274 ThreadLock : _EX_PUSH_LOCK
+0x278 ReadClusterSize : Uint4B
+0x27c MmLockOrdering : Int4B
+0x280 CrossThreadFlags : Uint4B
+0x280 Terminated : Pos 0, 1 Bit
+0x280 ThreadInserted : Pos 1, 1 Bit
+0x280 HideFromDebugger : Pos 2, 1 Bit
+0x280 ActiveImpersonationInfo : Pos 3, 1 Bit
+0x280 Reserved : Pos 4, 1 Bit
+0x280 HardErrorsAreDisabled : Pos 5, 1 Bit
+0x280 BreakOnTermination : Pos 6, 1 Bit
+0x280 SkipCreationMsg : Pos 7, 1 Bit
+0x280 SkipTerminationMsg : Pos 8, 1 Bit
+0x280 CopyTokenOnOpen : Pos 9, 1 Bit
+0x280 ThreadIoPriority : Pos 10, 3 Bits
+0x280 ThreadPagePriority : Pos 13, 3 Bits
+0x280 RundownFail : Pos 16, 1 Bit
+0x280 NeedsWorkingSetAging : Pos 17, 1 Bit
+0x284 SameThreadPassiveFlags : Uint4B
+0x284 ActiveExWorker : Pos 0, 1 Bit
+0x284 ExWorkerCanWaitUser : Pos 1, 1 Bit
+0x284 MemoryMaker : Pos 2, 1 Bit
+0x284 ClonedThread : Pos 3, 1 Bit
+0x284 KeyedEventInUse : Pos 4, 1 Bit
+0x284 RateApcState : Pos 5, 2 Bits
+0x284 SelfTerminate : Pos 7, 1 Bit
+0x288 SameThreadApcFlags : Uint4B
+0x288 Spare : Pos 0, 1 Bit
+0x288 StartAddressInvalid : Pos 1, 1 Bit
+0x288 EtwPageFaultCalloutActive : Pos 2, 1 Bit
+0x288 OwnsProcessWorkingSetExclusive : Pos 3, 1 Bit
+0x288 OwnsProcessWorkingSetShared : Pos 4, 1 Bit
+0x288 OwnsSystemCacheWorkingSetExclusive : Pos 5, 1 Bit
+0x288 OwnsSystemCacheWorkingSetShared : Pos 6, 1 Bit
+0x288 OwnsSessionWorkingSetExclusive : Pos 7, 1 Bit
+0x289 OwnsSessionWorkingSetShared : Pos 0, 1 Bit
+0x289 OwnsProcessAddressSpaceExclusive : Pos 1, 1 Bit
+0x289 OwnsProcessAddressSpaceShared : Pos 2, 1 Bit
+0x289 SuppressSymbolLoad : Pos 3, 1 Bit
+0x289 Prefetching : Pos 4, 1 Bit
+0x289 OwnsDynamicMemoryShared : Pos 5, 1 Bit
+0x289 OwnsChangeControlAreaExclusive : Pos 6, 1 Bit
+0x289 OwnsChangeControlAreaShared : Pos 7, 1 Bit
+0x28a OwnsPagedPoolWorkingSetExclusive : Pos 0, 1 Bit
+0x28a OwnsPagedPoolWorkingSetShared : Pos 1, 1 Bit
+0x28a OwnsSystemPtesWorkingSetExclusive : Pos 2, 1 Bit
+0x28a OwnsSystemPtesWorkingSetShared : Pos 3, 1 Bit
+0x28a TrimTrigger : Pos 4, 2 Bits
+0x28a Spare1 : Pos 6, 2 Bits
+0x28b PriorityRegionActive : UChar
+0x28c CacheManagerActive : UChar
+0x28d DisablePageFaultClustering : UChar
+0x28e ActiveFaultCount : UChar
+0x28f LockOrderState : UChar
+0x290 AlpcMessageId : Uint4B
+0x294 AlpcMessage : Ptr32 Void
+0x294 AlpcReceiveAttributeSet : Uint4B
+0x298 AlpcWaitListEntry : _LIST_ENTRY
+0x2a0 CacheManagerCount : Uint4B
+0x2a4 IoBoostCount : Uint4B
+0x2a8 IrpListLock : Uint4B
+0x2ac ReservedForSynchTracking : Ptr32 Void
+0x2b0 CmCallbackListHead : _SINGLE_LIST_ENTRY
kd> dt nt!_KTHREAD
+0x000 Header : _DISPATCHER_HEADER
+0x010 CycleTime : Uint8B
+0x018 HighCycleTime : Uint4B
+0x020 QuantumTarget : Uint8B
+0x028 InitialStack : Ptr32 Void
+0x02c StackLimit : Ptr32 Void
+0x030 KernelStack : Ptr32 Void
+0x034 ThreadLock : Uint4B
+0x038 WaitRegister : _KWAIT_STATUS_REGISTER
+0x039 Running : UChar
+0x03a Alerted : [2] UChar
+0x03c KernelStackResident : Pos 0, 1 Bit
+0x03c ReadyTransition : Pos 1, 1 Bit
+0x03c ProcessReadyQueue : Pos 2, 1 Bit
+0x03c WaitNext : Pos 3, 1 Bit
+0x03c SystemAffinityActive : Pos 4, 1 Bit
+0x03c Alertable : Pos 5, 1 Bit
+0x03c GdiFlushActive : Pos 6, 1 Bit
+0x03c UserStackWalkActive : Pos 7, 1 Bit
+0x03c ApcInterruptRequest : Pos 8, 1 Bit
+0x03c ForceDeferSchedule : Pos 9, 1 Bit
+0x03c QuantumEndMigrate : Pos 10, 1 Bit
+0x03c UmsDirectedSwitchEnable : Pos 11, 1 Bit
+0x03c TimerActive : Pos 12, 1 Bit
+0x03c SystemThread : Pos 13, 1 Bit
+0x03c Reserved : Pos 14, 18 Bits
+0x03c MiscFlags : Int4B
+0x040 ApcState : _KAPC_STATE
+0x040 ApcStateFill : [23] UChar
+0x057 Priority : Char
+0x058 NextProcessor : Uint4B
+0x05c DeferredProcessor : Uint4B
+0x060 ApcQueueLock : Uint4B
+0x064 ContextSwitches : Uint4B
+0x068 State : UChar
+0x069 NpxState : Char
+0x06a WaitIrql : UChar
+0x06b WaitMode : Char
+0x06c WaitStatus : Int4B
+0x070 WaitBlockList : Ptr32 _KWAIT_BLOCK
+0x074 WaitListEntry : _LIST_ENTRY
+0x074 SwapListEntry : _SINGLE_LIST_ENTRY
+0x07c Queue : Ptr32 _KQUEUE
+0x080 WaitTime : Uint4B
+0x084 KernelApcDisable : Int2B
+0x086 SpecialApcDisable : Int2B
+0x084 CombinedApcDisable : Uint4B
+0x088 Teb : Ptr32 Void
+0x090 Timer : _KTIMER
+0x0b8 AutoAlignment : Pos 0, 1 Bit
+0x0b8 DisableBoost : Pos 1, 1 Bit
+0x0b8 EtwStackTraceApc1Inserted : Pos 2, 1 Bit
+0x0b8 EtwStackTraceApc2Inserted : Pos 3, 1 Bit
+0x0b8 CalloutActive : Pos 4, 1 Bit
+0x0b8 ApcQueueable : Pos 5, 1 Bit
+0x0b8 EnableStackSwap : Pos 6, 1 Bit
+0x0b8 GuiThread : Pos 7, 1 Bit
+0x0b8 UmsPerformingSyscall : Pos 8, 1 Bit
+0x0b8 VdmSafe : Pos 9, 1 Bit
+0x0b8 UmsDispatched : Pos 10, 1 Bit
+0x0b8 ReservedFlags : Pos 11, 21 Bits
+0x0b8 ThreadFlags : Int4B
+0x0bc ServiceTable : Ptr32 Void
+0x0c0 WaitBlock : [4] _KWAIT_BLOCK
+0x120 QueueListEntry : _LIST_ENTRY
+0x128 TrapFrame : Ptr32 _KTRAP_FRAME
+0x12c FirstArgument : Ptr32 Void
+0x130 CallbackStack : Ptr32 Void
+0x130 CallbackDepth : Uint4B
+0x134 ApcStateIndex : UChar
+0x135 BasePriority : Char
+0x136 PriorityDecrement : Char
+0x136 ForegroundBoost : Pos 0, 4 Bits
+0x136 UnusualBoost : Pos 4, 4 Bits
+0x137 Preempted : UChar
+0x138 AdjustReason : UChar
+0x139 AdjustIncrement : Char
+0x13a PreviousMode : Char
+0x13b Saturation : Char
+0x13c SystemCallNumber : Uint4B
+0x140 FreezeCount : Uint4B
+0x144 UserAffinity : _GROUP_AFFINITY
+0x150 Process : Ptr32 _KPROCESS
+0x154 Affinity : _GROUP_AFFINITY
+0x160 IdealProcessor : Uint4B
+0x164 UserIdealProcessor : Uint4B
+0x168 ApcStatePointer : [2] Ptr32 _KAPC_STATE
+0x170 SavedApcState : _KAPC_STATE
+0x170 SavedApcStateFill : [23] UChar
+0x187 WaitReason : UChar
+0x188 SuspendCount : Char
+0x189 Spare1 : Char
+0x18a OtherPlatformFill : UChar
+0x18c Win32Thread : Ptr32 Void
+0x190 StackBase : Ptr32 Void
+0x194 SuspendApc : _KAPC
+0x194 SuspendApcFill0 : [1] UChar
+0x195 ResourceIndex : UChar
+0x194 SuspendApcFill1 : [3] UChar
+0x197 QuantumReset : UChar
+0x194 SuspendApcFill2 : [4] UChar
+0x198 KernelTime : Uint4B
+0x194 SuspendApcFill3 : [36] UChar
+0x1b8 WaitPrcb : Ptr32 _KPRCB
+0x194 SuspendApcFill4 : [40] UChar
+0x1bc LegoData : Ptr32 Void
+0x194 SuspendApcFill5 : [47] UChar
+0x1c3 LargeStack : UChar
+0x1c4 UserTime : Uint4B
+0x1c8 SuspendSemaphore : _KSEMAPHORE
+0x1c8 SuspendSemaphorefill : [20] UChar
+0x1dc SListFaultCount : Uint4B
+0x1e0 ThreadListEntry : _LIST_ENTRY
+0x1e8 MutantListHead : _LIST_ENTRY
+0x1f0 SListFaultAddress : Ptr32 Void
+0x1f4 ThreadCounters : Ptr32 _KTHREAD_COUNTERS
+0x1f8 XStateSave : Ptr32 _XSTATE_SAVE
kd> dt nt!_KAPC_STATE
+0x000 ApcListHead : [2] _LIST_ENTRY
+0x010 Process : Ptr32 _KPROCESS
+0x014 KernelApcInProgress : UChar
+0x015 KernelApcPending : UChar
+0x016 UserApcPending : UChar
kd> dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK
+0x0a0 CreateTime : _LARGE_INTEGER
+0x0a8 ExitTime : _LARGE_INTEGER
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : Ptr32 Void
+0x0b8 ActiveProcessLinks : _LIST_ENTRY
+0x0c0 ProcessQuotaUsage : [2] Uint4B
+0x0c8 ProcessQuotaPeak : [2] Uint4B
+0x0d0 CommitCharge : Uint4B
+0x0d4 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x0d8 CpuQuotaBlock : Ptr32 _PS_CPU_QUOTA_BLOCK
+0x0dc PeakVirtualSize : Uint4B
+0x0e0 VirtualSize : Uint4B
+0x0e4 SessionProcessLinks : _LIST_ENTRY
+0x0ec DebugPort : Ptr32 Void
+0x0f0 ExceptionPortData : Ptr32 Void
+0x0f0 ExceptionPortValue : Uint4B
+0x0f0 ExceptionPortState : Pos 0, 3 Bits
+0x0f4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x0f8 Token : _EX_FAST_REF
+0x0fc WorkingSetPage : Uint4B
+0x100 AddressCreationLock : _EX_PUSH_LOCK
+0x104 RotateInProgress : Ptr32 _ETHREAD
+0x108 ForkInProgress : Ptr32 _ETHREAD
+0x10c HardwareTrigger : Uint4B
+0x110 PhysicalVadRoot : Ptr32 _MM_AVL_TABLE
+0x114 CloneRoot : Ptr32 Void
+0x118 NumberOfPrivatePages : Uint4B
+0x11c NumberOfLockedPages : Uint4B
+0x120 Win32Process : Ptr32 Void
+0x124 Job : Ptr32 _EJOB
+0x128 SectionObject : Ptr32 Void
+0x12c SectionBaseAddress : Ptr32 Void
+0x130 Cookie : Uint4B
+0x134 Spare8 : Uint4B
+0x138 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x13c Win32WindowStation : Ptr32 Void
+0x140 InheritedFromUniqueProcessId : Ptr32 Void
+0x144 LdtInformation : Ptr32 Void
+0x148 VdmObjects : Ptr32 Void
+0x14c ConsoleHostProcess : Uint4B
+0x150 DeviceMap : Ptr32 Void
+0x154 EtwDataSource : Ptr32 Void
+0x158 FreeTebHint : Ptr32 Void
+0x160 PageDirectoryPte : _HARDWARE_PTE
+0x160 Filler : Uint8B
+0x168 Session : Ptr32 Void
+0x16c ImageFileName : [15] UChar
+0x17b PriorityClass : UChar
+0x17c JobLinks : _LIST_ENTRY
+0x184 LockedPagesList : Ptr32 Void
+0x188 ThreadListHead : _LIST_ENTRY
+0x190 SecurityPort : Ptr32 Void
+0x194 PaeTop : Ptr32 Void
+0x198 ActiveThreads : Uint4B
+0x19c ImagePathHash : Uint4B
+0x1a0 DefaultHardErrorProcessing : Uint4B
+0x1a4 LastThreadExitStatus : Int4B
+0x1a8 Peb : Ptr32 _PEB
+0x1ac PrefetchTrace : _EX_FAST_REF
+0x1b0 ReadOperationCount : _LARGE_INTEGER
+0x1b8 WriteOperationCount : _LARGE_INTEGER
+0x1c0 OtherOperationCount : _LARGE_INTEGER
+0x1c8 ReadTransferCount : _LARGE_INTEGER
+0x1d0 WriteTransferCount : _LARGE_INTEGER
+0x1d8 OtherTransferCount : _LARGE_INTEGER
+0x1e0 CommitChargeLimit : Uint4B
+0x1e4 CommitChargePeak : Uint4B
+0x1e8 AweInfo : Ptr32 Void
+0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f0 Vm : _MMSUPPORT
+0x25c MmProcessLinks : _LIST_ENTRY
+0x264 HighestUserAddress : Ptr32 Void
+0x268 ModifiedPageCount : Uint4B
+0x26c Flags2 : Uint4B
+0x26c JobNotReallyActive : Pos 0, 1 Bit
+0x26c AccountingFolded : Pos 1, 1 Bit
+0x26c NewProcessReported : Pos 2, 1 Bit
+0x26c ExitProcessReported : Pos 3, 1 Bit
+0x26c ReportCommitChanges : Pos 4, 1 Bit
+0x26c LastReportMemory : Pos 5, 1 Bit
+0x26c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x26c HandleTableRundown : Pos 7, 1 Bit
+0x26c NeedsHandleRundown : Pos 8, 1 Bit
+0x26c RefTraceEnabled : Pos 9, 1 Bit
+0x26c NumaAware : Pos 10, 1 Bit
+0x26c ProtectedProcess : Pos 11, 1 Bit
+0x26c DefaultPagePriority : Pos 12, 3 Bits
+0x26c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x26c ProcessVerifierTarget : Pos 16, 1 Bit
+0x26c StackRandomizationDisabled : Pos 17, 1 Bit
+0x26c AffinityPermanent : Pos 18, 1 Bit
+0x26c AffinityUpdateEnable : Pos 19, 1 Bit
+0x26c PropagateNode : Pos 20, 1 Bit
+0x26c ExplicitAffinity : Pos 21, 1 Bit
+0x270 Flags : Uint4B
+0x270 CreateReported : Pos 0, 1 Bit
+0x270 NoDebugInherit : Pos 1, 1 Bit
+0x270 ProcessExiting : Pos 2, 1 Bit
+0x270 ProcessDelete : Pos 3, 1 Bit
+0x270 Wow64SplitPages : Pos 4, 1 Bit
+0x270 VmDeleted : Pos 5, 1 Bit
+0x270 OutswapEnabled : Pos 6, 1 Bit
+0x270 Outswapped : Pos 7, 1 Bit
+0x270 ForkFailed : Pos 8, 1 Bit
+0x270 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x270 AddressSpaceInitialized : Pos 10, 2 Bits
+0x270 SetTimerResolution : Pos 12, 1 Bit
+0x270 BreakOnTermination : Pos 13, 1 Bit
+0x270 DeprioritizeViews : Pos 14, 1 Bit
+0x270 WriteWatch : Pos 15, 1 Bit
+0x270 ProcessInSession : Pos 16, 1 Bit
+0x270 OverrideAddressSpace : Pos 17, 1 Bit
+0x270 HasAddressSpace : Pos 18, 1 Bit
+0x270 LaunchPrefetched : Pos 19, 1 Bit
+0x270 InjectInpageErrors : Pos 20, 1 Bit
+0x270 VmTopDown : Pos 21, 1 Bit
+0x270 ImageNotifyDone : Pos 22, 1 Bit
+0x270 PdeUpdateNeeded : Pos 23, 1 Bit
+0x270 VdmAllowed : Pos 24, 1 Bit
+0x270 CrossSessionCreate : Pos 25, 1 Bit
+0x270 ProcessInserted : Pos 26, 1 Bit
+0x270 DefaultIoPriority : Pos 27, 3 Bits
+0x270 ProcessSelfDelete : Pos 30, 1 Bit
+0x270 SetTimerResolutionLink : Pos 31, 1 Bit
+0x274 ExitStatus : Int4B
+0x278 VadRoot : _MM_AVL_TABLE
+0x298 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x2a8 TimerResolutionLink : _LIST_ENTRY
+0x2b0 RequestedTimerResolution : Uint4B
+0x2b4 ActiveThreadsHighWatermark : Uint4B
+0x2b8 SmallestTimerResolution : Uint4B
+0x2bc TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD
kd> dt nt!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x010 ProfileListHead : _LIST_ENTRY
+0x018 DirectoryTableBase : Uint4B
+0x01c LdtDescriptor : _KGDTENTRY
+0x024 Int21Descriptor : _KIDTENTRY
+0x02c ThreadListHead : _LIST_ENTRY
+0x034 ProcessLock : Uint4B
+0x038 Affinity : _KAFFINITY_EX
+0x044 ReadyListHead : _LIST_ENTRY
+0x04c SwapListEntry : _SINGLE_LIST_ENTRY
+0x050 ActiveProcessors : _KAFFINITY_EX
+0x05c AutoAlignment : Pos 0, 1 Bit
+0x05c DisableBoost : Pos 1, 1 Bit
+0x05c DisableQuantum : Pos 2, 1 Bit
+0x05c ActiveGroupsMask : Pos 3, 1 Bit
+0x05c ReservedFlags : Pos 4, 28 Bits
+0x05c ProcessFlags : Int4B
+0x060 BasePriority : Char
+0x061 QuantumReset : Char
+0x062 Visited : UChar
+0x063 Unused3 : UChar
+0x064 ThreadSeed : [1] Uint4B
+0x068 IdealNode : [1] Uint2B
+0x06a IdealGlobalNode : Uint2B
+0x06c Flags : _KEXECUTE_OPTIONS
+0x06d Unused1 : UChar
+0x06e IopmOffset : Uint2B
+0x070 Unused4 : Uint4B
+0x074 StackCount : _KSTACK_COUNT
+0x078 ProcessListEntry : _LIST_ENTRY
+0x080 CycleTime : Uint8B
+0x088 KernelTime : Uint4B
+0x08c UserTime : Uint4B
+0x090 VdmTrapcHandler : Ptr32 Void