#pragma once #include "PEStructs.h" #ifdef _WIN10_ #include "NativeStructs10.h" #elif _WIN81_ #include "NativeStructs81.h" #elif _WIN8_ #include "NativeStructs8.h" #elif _WIN7_ #include "NativeStructs7.h" #else #error Unsupported OS build version #endif #define MAKEINTRESOURCEW(i) ((PWCH)((ULONG_PTR)((USHORT)(i)))) typedef struct _SYSTEM_SERVICE_DESCRIPTOR_TABLE { PULONG_PTR ServiceTableBase; PULONG ServiceCounterTableBase; ULONG_PTR NumberOfServices; PUCHAR ParamTableBase; } SYSTEM_SERVICE_DESCRIPTOR_TABLE, *PSYSTEM_SERVICE_DESCRIPTOR_TABLE; typedef union _PS_PROTECTION { UCHAR Level; struct { int Type : 3; int Audit : 1; int Signer : 4; } Flags; } PS_PROTECTION, *PPS_PROTECTION; typedef union _KEXECUTE_OPTIONS { struct { int ExecuteDisable : 1; // 0x01 int ExecuteEnable : 1; // 0x02 int DisableThunkEmulation : 1; // 0x04 int Permanent : 1; // 0x08 int ExecuteDispatchEnable : 1; // 0x10 int ImageDispatchEnable : 1; // 0x20 int DisableExceptionChainValidation : 1; // 0x40 int Spare : 1; } Flags; UCHAR ExecuteOptions; } KEXECUTE_OPTIONS, *PKEXECUTE_OPTIONS; typedef struct _EPROCESS_FLAGS2 { unsigned int JobNotReallyActive : 1; unsigned int AccountingFolded : 1; unsigned int NewProcessReported : 1; unsigned int ExitProcessReported : 1; unsigned int ReportCommitChanges : 1; unsigned int LastReportMemory : 1; unsigned int ForceWakeCharge : 1; unsigned int CrossSessionCreate : 1; unsigned int NeedsHandleRundown : 1; unsigned int RefTraceEnabled : 1; unsigned int DisableDynamicCode : 1; unsigned int EmptyJobEvaluated : 1; unsigned int DefaultPagePriority : 3; unsigned int PrimaryTokenFrozen : 1; unsigned int ProcessVerifierTarget : 1; unsigned int StackRandomizationDisabled : 1; unsigned int AffinityPermanent : 1; unsigned int AffinityUpdateEnable : 1; unsigned int PropagateNode : 1; unsigned int ExplicitAffinity : 1; unsigned int ProcessExecutionState : 2; unsigned int DisallowStrippedImages : 1; unsigned int HighEntropyASLREnabled : 1; unsigned int ExtensionPointDisable : 1; unsigned int ForceRelocateImages : 1; unsigned int ProcessStateChangeRequest : 2; unsigned int ProcessStateChangeInProgress : 1; unsigned int DisallowWin32kSystemCalls : 1; } EPROCESS_FLAGS2, *PEPROCESS_FLAGS2; typedef struct _MITIGATION_FLAGS { unsigned int ControlFlowGuardEnabled : 1; unsigned int ControlFlowGuardExportSuppressionEnabled : 1; unsigned int ControlFlowGuardStrict : 1; unsigned int DisallowStrippedImages : 1; unsigned int ForceRelocateImages : 1; unsigned int HighEntropyASLREnabled : 1; unsigned int StackRandomizationDisabled : 1; unsigned int ExtensionPointDisable : 1; unsigned int DisableDynamicCode : 1; unsigned int DisableDynamicCodeAllowOptOut : 1; unsigned int DisableDynamicCodeAllowRemoteDowngrade : 1; unsigned int AuditDisableDynamicCode : 1; unsigned int DisallowWin32kSystemCalls : 1; unsigned int AuditDisallowWin32kSystemCalls : 1; unsigned int EnableFilteredWin32kAPIs : 1; unsigned int AuditFilteredWin32kAPIs : 1; unsigned int DisableNonSystemFonts : 1; unsigned int AuditNonSystemFontLoading : 1; unsigned int PreferSystem32Images : 1; unsigned int ProhibitRemoteImageMap : 1; unsigned int AuditProhibitRemoteImageMap : 1; unsigned int ProhibitLowILImageMap : 1; unsigned int AuditProhibitLowILImageMap : 1; unsigned int SignatureMitigationOptIn : 1; unsigned int AuditBlockNonMicrosoftBinaries : 1; unsigned int AuditBlockNonMicrosoftBinariesAllowStore : 1; unsigned int LoaderIntegrityContinuityEnabled : 1; unsigned int AuditLoaderIntegrityContinuity : 1; unsigned int EnableModuleTamperingProtection : 1; unsigned int EnableModuleTamperingProtectionNoInherit : 1; unsigned int RestrictIndirectBranchPrediction; unsigned int IsolateSecurityDomain; } MITIGATION_FLAGS, *PMITIGATION_FLAGS; typedef union _EXHANDLE { struct { int TagBits : 2; int Index : 30; } u; void * GenericHandleOverlay; ULONG_PTR Value; } EXHANDLE, *PEXHANDLE; #pragma warning(disable : 4214 4201) #pragma pack(push, 1) typedef struct _POOL_HEADER // Size=16 { union { struct { unsigned long PreviousSize : 8; // Size=4 Offset=0 BitOffset=0 BitCount=8 unsigned long PoolIndex : 8; // Size=4 Offset=0 BitOffset=8 BitCount=8 unsigned long BlockSize : 8; // Size=4 Offset=0 BitOffset=16 BitCount=8 unsigned long PoolType : 8; // Size=4 Offset=0 BitOffset=24 BitCount=8 }; unsigned long Ulong1; // Size=4 Offset=0 }; unsigned long PoolTag; // Size=4 Offset=4 union { struct _EPROCESS * ProcessBilled; // Size=8 Offset=8 struct { unsigned short AllocatorBackTraceIndex; // Size=2 Offset=8 unsigned short PoolTagHash; // Size=2 Offset=10 }; }; } POOL_HEADER, *PPOOL_HEADER; #pragma pack(pop) typedef struct _HANDLE_TABLE_ENTRY // Size=16 { union { ULONG_PTR VolatileLowValue; // Size=8 Offset=0 ULONG_PTR LowValue; // Size=8 Offset=0 struct _HANDLE_TABLE_ENTRY_INFO * InfoTable; // Size=8 Offset=0 struct { ULONG_PTR Unlocked : 1; // Size=8 Offset=0 BitOffset=0 BitCount=1 ULONG_PTR RefCnt : 16; // Size=8 Offset=0 BitOffset=1 BitCount=16 ULONG_PTR Attributes : 3; // Size=8 Offset=0 BitOffset=17 BitCount=3 ULONG_PTR ObjectPointerBits : 44; // Size=8 Offset=0 BitOffset=20 BitCount=44 }; }; union { ULONG_PTR HighValue; // Size=8 Offset=8 struct _HANDLE_TABLE_ENTRY * NextFreeHandleEntry; // Size=8 Offset=8 union _EXHANDLE LeafHandleValue; // Size=8 Offset=8 struct { ULONG GrantedAccessBits : 25; // Size=4 Offset=8 BitOffset=0 BitCount=25 ULONG NoRightsUpgrade : 1; // Size=4 Offset=8 BitOffset=25 BitCount=1 ULONG Spare : 6; // Size=4 Offset=8 BitOffset=26 BitCount=6 }; }; ULONG TypeInfo; // Size=4 Offset=12 } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY; typedef struct _OBJECT_HEADER // Size=56 { ULONG_PTR PointerCount; // Size=8 Offset=0 union { ULONG_PTR HandleCount; // Size=8 Offset=8 void * NextToFree; // Size=8 Offset=8 }; void* Lock; // Size=8 Offset=16 UCHAR TypeIndex; // Size=1 Offset=24 union { UCHAR TraceFlags; // Size=1 Offset=25 struct { UCHAR DbgRefTrace : 1; // Size=1 Offset=25 BitOffset=0 BitCount=1 UCHAR DbgTracePermanent : 1; // Size=1 Offset=25 BitOffset=1 BitCount=1 }; }; UCHAR InfoMask; // Size=1 Offset=26 union { UCHAR Flags; // Size=1 Offset=27 struct { UCHAR NewObject : 1; // Size=1 Offset=27 BitOffset=0 BitCount=1 UCHAR KernelObject : 1; // Size=1 Offset=27 BitOffset=1 BitCount=1 UCHAR KernelOnlyAccess : 1; // Size=1 Offset=27 BitOffset=2 BitCount=1 UCHAR ExclusiveObject : 1; // Size=1 Offset=27 BitOffset=3 BitCount=1 UCHAR PermanentObject : 1; // Size=1 Offset=27 BitOffset=4 BitCount=1 UCHAR DefaultSecurityQuota : 1; // Size=1 Offset=27 BitOffset=5 BitCount=1 UCHAR SingleHandleEntry : 1; // Size=1 Offset=27 BitOffset=6 BitCount=1 UCHAR DeletedInline : 1; // Size=1 Offset=27 BitOffset=7 BitCount=1 }; }; ULONG Spare; // Size=4 Offset=28 union { struct _OBJECT_CREATE_INFORMATION * ObjectCreateInfo; // Size=8 Offset=32 void * QuotaBlockCharged; // Size=8 Offset=32 }; void * SecurityDescriptor; // Size=8 Offset=40 struct _QUAD Body; // Size=8 Offset=48 } OBJECT_HEADER, *POBJECT_HEADER; typedef union _EX_FAST_REF // Size=8 { void * Object; struct { unsigned __int64 RefCnt : 4; }; unsigned __int64 Value; } EX_FAST_REF, *PEX_FAST_REF; typedef struct _CONTROL_AREA // Size=120 { struct _SEGMENT * Segment; struct _LIST_ENTRY ListHead; unsigned __int64 NumberOfSectionReferences; unsigned __int64 NumberOfPfnReferences; unsigned __int64 NumberOfMappedViews; unsigned __int64 NumberOfUserReferences; unsigned long f1; unsigned long f2; EX_FAST_REF FilePointer; // Other fields } CONTROL_AREA, *PCONTROL_AREA; typedef struct _SUBSECTION // Size=56 { PCONTROL_AREA ControlArea; // Other fields } SUBSECTION, *PSUBSECTION; typedef struct _MEMORY_BASIC_INFORMATION_EX { PVOID BaseAddress; PVOID AllocationBase; ULONG AllocationProtect; SIZE_T RegionSize; ULONG State; ULONG Protect; ULONG Type; } MEMORY_BASIC_INFORMATION_EX, *PMEMORY_BASIC_INFORMATION_EX; typedef struct _SYSTEM_CALL_COUNT_INFORMATION { ULONG Length; ULONG NumberOfTables; ULONG limits[2]; } SYSTEM_CALL_COUNT_INFORMATION, *PSYSTEM_CALL_COUNT_INFORMATION; typedef struct _SYSTEM_THREAD_INFORMATION { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; LONG BasePriority; ULONG ContextSwitches; ULONG ThreadState; KWAIT_REASON WaitReason; }SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; typedef struct _THREAD_BASIC_INFORMATION { NTSTATUS ExitStatus; PVOID TebBaseAddress; CLIENT_ID ClientId; ULONG_PTR AffinityMask; LONG Priority; LONG BasePriority; } THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; typedef struct _SYSTEM_PROCESS_INFO { ULONG NextEntryOffset; ULONG NumberOfThreads; LARGE_INTEGER WorkingSetPrivateSize; ULONG HardFaultCount; ULONG NumberOfThreadsHighWatermark; ULONGLONG CycleTime; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ImageName; KPRIORITY BasePriority; HANDLE UniqueProcessId; HANDLE InheritedFromUniqueProcessId; ULONG HandleCount; ULONG SessionId; ULONG_PTR UniqueProcessKey; SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; SIZE_T PrivatePageCount; LARGE_INTEGER ReadOperationCount; LARGE_INTEGER WriteOperationCount; LARGE_INTEGER OtherOperationCount; LARGE_INTEGER ReadTransferCount; LARGE_INTEGER WriteTransferCount; LARGE_INTEGER OtherTransferCount; SYSTEM_THREAD_INFORMATION Threads[1]; }SYSTEM_PROCESS_INFO, *PSYSTEM_PROCESS_INFO; #pragma warning(disable : 4214) typedef struct _MMPTE_HARDWARE64 { ULONGLONG Valid : 1; ULONGLONG Dirty1 : 1; ULONGLONG Owner : 1; ULONGLONG WriteThrough : 1; ULONGLONG CacheDisable : 1; ULONGLONG Accessed : 1; ULONGLONG Dirty : 1; ULONGLONG LargePage : 1; ULONGLONG Global : 1; ULONGLONG CopyOnWrite : 1; ULONGLONG Unused : 1; ULONGLONG Write : 1; ULONGLONG PageFrameNumber : 36; ULONGLONG reserved1 : 4; ULONGLONG SoftwareWsIndex : 11; ULONGLONG NoExecute : 1; } MMPTE_HARDWARE64, *PMMPTE_HARDWARE64; typedef struct _MMPTE { union { ULONG_PTR Long; MMPTE_HARDWARE64 Hard; } u; } MMPTE; typedef MMPTE *PMMPTE; #pragma warning(default : 4214) typedef struct _NT_PROC_THREAD_ATTRIBUTE_ENTRY { ULONG Attribute; // PROC_THREAD_ATTRIBUTE_XXX SIZE_T Size; ULONG_PTR Value; ULONG Unknown; } NT_PROC_THREAD_ATTRIBUTE_ENTRY, *NT_PPROC_THREAD_ATTRIBUTE_ENTRY; typedef struct _NT_PROC_THREAD_ATTRIBUTE_LIST { ULONG Length; NT_PROC_THREAD_ATTRIBUTE_ENTRY Entry[1]; } NT_PROC_THREAD_ATTRIBUTE_LIST, *PNT_PROC_THREAD_ATTRIBUTE_LIST; typedef struct _RTL_PROCESS_MODULE_INFORMATION { HANDLE Section; // Not filled in PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[MAXIMUM_FILENAME_LENGTH]; } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; typedef struct _RTL_PROCESS_MODULES { ULONG NumberOfModules; RTL_PROCESS_MODULE_INFORMATION Modules[1]; } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; #pragma warning(disable : 4214) typedef union _MEMORY_WORKING_SET_EX_BLOCK { ULONG_PTR Flags; struct { ULONG_PTR Valid : 1; ULONG_PTR ShareCount : 3; ULONG_PTR Win32Protection : 11; ULONG_PTR Shared : 1; ULONG_PTR Node : 6; ULONG_PTR Locked : 1; ULONG_PTR LargePage : 1; ULONG_PTR Reserved : 7; ULONG_PTR Bad : 1; #if defined(_WIN64) ULONG_PTR ReservedUlong : 32; #endif }; } MEMORY_WORKING_SET_EX_BLOCK, *PMEMORY_WORKING_SET_EX_BLOCK; typedef struct _MEMORY_WORKING_SET_EX_INFORMATION { PVOID VirtualAddress; MEMORY_WORKING_SET_EX_BLOCK VirtualAttributes; } MEMORY_WORKING_SET_EX_INFORMATION, *PMEMORY_WORKING_SET_EX_INFORMATION; #pragma warning(default : 4214) typedef struct _PEB_LDR_DATA { ULONG Length; UCHAR Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY HashLinks; ULONG TimeDateStamp; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; typedef struct _PEB { UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR BitField; PVOID Mutant; PVOID ImageBaseAddress; PPEB_LDR_DATA Ldr; PVOID ProcessParameters; PVOID SubSystemData; PVOID ProcessHeap; PVOID FastPebLock; PVOID AtlThunkSListPtr; PVOID IFEOKey; PVOID CrossProcessFlags; PVOID KernelCallbackTable; ULONG SystemReserved; ULONG AtlThunkSListPtr32; PVOID ApiSetMap; } PEB, *PPEB; typedef struct _PEB_LDR_DATA32 { ULONG Length; UCHAR Initialized; ULONG SsHandle; LIST_ENTRY32 InLoadOrderModuleList; LIST_ENTRY32 InMemoryOrderModuleList; LIST_ENTRY32 InInitializationOrderModuleList; } PEB_LDR_DATA32, *PPEB_LDR_DATA32; typedef struct _LDR_DATA_TABLE_ENTRY32 { LIST_ENTRY32 InLoadOrderLinks; LIST_ENTRY32 InMemoryOrderLinks; LIST_ENTRY32 InInitializationOrderLinks; ULONG DllBase; ULONG EntryPoint; ULONG SizeOfImage; UNICODE_STRING32 FullDllName; UNICODE_STRING32 BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY32 HashLinks; ULONG TimeDateStamp; } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; typedef struct _PEB32 { UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR BitField; ULONG Mutant; ULONG ImageBaseAddress; ULONG Ldr; ULONG ProcessParameters; ULONG SubSystemData; ULONG ProcessHeap; ULONG FastPebLock; ULONG AtlThunkSListPtr; ULONG IFEOKey; ULONG CrossProcessFlags; ULONG UserSharedInfoPtr; ULONG SystemReserved; ULONG AtlThunkSListPtr32; ULONG ApiSetMap; } PEB32, *PPEB32; typedef struct _WOW64_PROCESS { PPEB32 Wow64; } WOW64_PROCESS, *PWOW64_PROCESS; typedef union _WOW64_APC_CONTEXT { struct { ULONG Apc32BitContext; ULONG Apc32BitRoutine; }; PVOID Apc64BitContext; } WOW64_APC_CONTEXT, *PWOW64_APC_CONTEXT; typedef struct _NON_PAGED_DEBUG_INFO { USHORT Signature; USHORT Flags; ULONG Size; USHORT Machine; USHORT Characteristics; ULONG TimeDateStamp; ULONG CheckSum; ULONG SizeOfImage; ULONGLONG ImageBase; } NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO; typedef struct _KLDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; PVOID ExceptionTable; ULONG ExceptionTableSize; // ULONG padding on IA64 PVOID GpValue; PNON_PAGED_DEBUG_INFO NonPagedDebugInfo; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT __Unused5; PVOID SectionPointer; ULONG CheckSum; // ULONG padding on IA64 PVOID LoadedImports; PVOID PatchInformation; } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; // // This structure is used by the debugger for all targets // It is the same size as DBGKD_DATA_HEADER on all systems // typedef struct _DBGKD_DEBUG_DATA_HEADER64 { // // Link to other blocks // LIST_ENTRY64 List; // // This is a unique tag to identify the owner of the block. // If your component only uses one pool tag, use it for this, too. // ULONG OwnerTag; // // This must be initialized to the size of the data block, // including this structure. // ULONG Size; } DBGKD_DEBUG_DATA_HEADER64, *PDBGKD_DEBUG_DATA_HEADER64; // // This structure is the same size on all systems. The only field // which must be translated by the debugger is Header.List. // // // DO NOT ADD OR REMOVE FIELDS FROM THE MIDDLE OF THIS STRUCTURE!!! // // If you remove a field, replace it with an "unused" placeholder. // Do not reuse fields until there has been enough time for old debuggers // and extensions to age out. // typedef struct _KDDEBUGGER_DATA64 { DBGKD_DEBUG_DATA_HEADER64 Header; // // Base address of kernel image // ULONG64 KernBase; // // DbgBreakPointWithStatus is a function which takes an argument // and hits a breakpoint. This field contains the address of the // breakpoint instruction. When the debugger sees a breakpoint // at this address, it may retrieve the argument from the first // argument register, or on x86 the eax register. // ULONG64 BreakpointWithStatus; // address of breakpoint // // Address of the saved context record during a bugcheck // // N.B. This is an automatic in KeBugcheckEx's frame, and // is only valid after a bugcheck. // ULONG64 SavedContext; // // help for walking stacks with user callbacks: // // // The address of the thread structure is provided in the // WAIT_STATE_CHANGE packet. This is the offset from the base of // the thread structure to the pointer to the kernel stack frame // for the currently active usermode callback. // USHORT ThCallbackStack; // offset in thread data // // these values are offsets into that frame: // USHORT NextCallback; // saved pointer to next callback frame USHORT FramePointer; // saved frame pointer // // pad to a quad boundary // USHORT PaeEnabled; // // Address of the kernel callout routine. // ULONG64 KiCallUserMode; // kernel routine // // Address of the usermode entry point for callbacks. // ULONG64 KeUserCallbackDispatcher; // address in ntdll // // Addresses of various kernel data structures and lists // that are of interest to the kernel debugger. // ULONG64 PsLoadedModuleList; ULONG64 PsActiveProcessHead; ULONG64 PspCidTable; ULONG64 ExpSystemResourcesList; ULONG64 ExpPagedPoolDescriptor; ULONG64 ExpNumberOfPagedPools; ULONG64 KeTimeIncrement; ULONG64 KeBugCheckCallbackListHead; ULONG64 KiBugcheckData; ULONG64 IopErrorLogListHead; ULONG64 ObpRootDirectoryObject; ULONG64 ObpTypeObjectType; ULONG64 MmSystemCacheStart; ULONG64 MmSystemCacheEnd; ULONG64 MmSystemCacheWs; ULONG64 MmPfnDatabase; ULONG64 MmSystemPtesStart; ULONG64 MmSystemPtesEnd; ULONG64 MmSubsectionBase; ULONG64 MmNumberOfPagingFiles; ULONG64 MmLowestPhysicalPage; ULONG64 MmHighestPhysicalPage; ULONG64 MmNumberOfPhysicalPages; ULONG64 MmMaximumNonPagedPoolInBytes; ULONG64 MmNonPagedSystemStart; ULONG64 MmNonPagedPoolStart; ULONG64 MmNonPagedPoolEnd; ULONG64 MmPagedPoolStart; ULONG64 MmPagedPoolEnd; ULONG64 MmPagedPoolInformation; ULONG64 MmPageSize; ULONG64 MmSizeOfPagedPoolInBytes; ULONG64 MmTotalCommitLimit; ULONG64 MmTotalCommittedPages; ULONG64 MmSharedCommit; ULONG64 MmDriverCommit; ULONG64 MmProcessCommit; ULONG64 MmPagedPoolCommit; ULONG64 MmExtendedCommit; ULONG64 MmZeroedPageListHead; ULONG64 MmFreePageListHead; ULONG64 MmStandbyPageListHead; ULONG64 MmModifiedPageListHead; ULONG64 MmModifiedNoWritePageListHead; ULONG64 MmAvailablePages; ULONG64 MmResidentAvailablePages; ULONG64 PoolTrackTable; ULONG64 NonPagedPoolDescriptor; ULONG64 MmHighestUserAddress; ULONG64 MmSystemRangeStart; ULONG64 MmUserProbeAddress; ULONG64 KdPrintCircularBuffer; ULONG64 KdPrintCircularBufferEnd; ULONG64 KdPrintWritePointer; ULONG64 KdPrintRolloverCount; ULONG64 MmLoadedUserImageList; // NT 5.1 Addition ULONG64 NtBuildLab; ULONG64 KiNormalSystemCall; // NT 5.0 hotfix addition ULONG64 KiProcessorBlock; ULONG64 MmUnloadedDrivers; ULONG64 MmLastUnloadedDriver; ULONG64 MmTriageActionTaken; ULONG64 MmSpecialPoolTag; ULONG64 KernelVerifier; ULONG64 MmVerifierData; ULONG64 MmAllocatedNonPagedPool; ULONG64 MmPeakCommitment; ULONG64 MmTotalCommitLimitMaximum; ULONG64 CmNtCSDVersion; // NT 5.1 Addition ULONG64 MmPhysicalMemoryBlock; ULONG64 MmSessionBase; ULONG64 MmSessionSize; ULONG64 MmSystemParentTablePage; // Server 2003 addition ULONG64 MmVirtualTranslationBase; USHORT OffsetKThreadNextProcessor; USHORT OffsetKThreadTeb; USHORT OffsetKThreadKernelStack; USHORT OffsetKThreadInitialStack; USHORT OffsetKThreadApcProcess; USHORT OffsetKThreadState; USHORT OffsetKThreadBStore; USHORT OffsetKThreadBStoreLimit; USHORT SizeEProcess; USHORT OffsetEprocessPeb; USHORT OffsetEprocessParentCID; USHORT OffsetEprocessDirectoryTableBase; USHORT SizePrcb; USHORT OffsetPrcbDpcRoutine; USHORT OffsetPrcbCurrentThread; USHORT OffsetPrcbMhz; USHORT OffsetPrcbCpuType; USHORT OffsetPrcbVendorString; USHORT OffsetPrcbProcStateContext; USHORT OffsetPrcbNumber; USHORT SizeEThread; ULONG64 KdPrintCircularBufferPtr; ULONG64 KdPrintBufferSize; ULONG64 KeLoaderBlock; USHORT SizePcr; USHORT OffsetPcrSelfPcr; USHORT OffsetPcrCurrentPrcb; USHORT OffsetPcrContainedPrcb; USHORT OffsetPcrInitialBStore; USHORT OffsetPcrBStoreLimit; USHORT OffsetPcrInitialStack; USHORT OffsetPcrStackLimit; USHORT OffsetPrcbPcrPage; USHORT OffsetPrcbProcStateSpecialReg; USHORT GdtR0Code; USHORT GdtR0Data; USHORT GdtR0Pcr; USHORT GdtR3Code; USHORT GdtR3Data; USHORT GdtR3Teb; USHORT GdtLdt; USHORT GdtTss; USHORT Gdt64R3CmCode; USHORT Gdt64R3CmTeb; ULONG64 IopNumTriageDumpDataBlocks; ULONG64 IopTriageDumpDataBlocks; // Longhorn addition ULONG64 VfCrashDataBlock; ULONG64 MmBadPagesDetected; ULONG64 MmZeroedPageSingleBitErrorsDetected; // Windows 7 addition ULONG64 EtwpDebuggerData; USHORT OffsetPrcbContext; // Windows 8 addition USHORT OffsetPrcbMaxBreakpoints; USHORT OffsetPrcbMaxWatchpoints; ULONG OffsetKThreadStackLimit; ULONG OffsetKThreadStackBase; ULONG OffsetKThreadQueueListEntry; ULONG OffsetEThreadIrpList; USHORT OffsetPrcbIdleThread; USHORT OffsetPrcbNormalDpcState; USHORT OffsetPrcbDpcStack; USHORT OffsetPrcbIsrStack; USHORT SizeKDPC_STACK_FRAME; // Windows 8.1 Addition USHORT OffsetKPriQueueThreadListHead; USHORT OffsetKThreadWaitReason; // Windows 10 RS1 Addition USHORT Padding; ULONG64 PteBase; // Windows 10 RS5 Addition ULONG64 RetpolineStubFunctionTable; ULONG RetpolineStubFunctionTableSize; ULONG RetpolineStubOffset; ULONG RetpolineStubSize; } KDDEBUGGER_DATA64, *PKDDEBUGGER_DATA64; typedef struct _DUMP_HEADER { ULONG Signature; ULONG ValidDump; ULONG MajorVersion; ULONG MinorVersion; ULONG_PTR DirectoryTableBase; ULONG_PTR PfnDataBase; PLIST_ENTRY PsLoadedModuleList; PLIST_ENTRY PsActiveProcessHead; ULONG MachineImageType; ULONG NumberProcessors; ULONG BugCheckCode; ULONG_PTR BugCheckParameter1; ULONG_PTR BugCheckParameter2; ULONG_PTR BugCheckParameter3; ULONG_PTR BugCheckParameter4; CHAR VersionUser[32]; struct _KDDEBUGGER_DATA64 *KdDebuggerDataBlock; } DUMP_HEADER, *PDUMP_HEADER; C_ASSERT( FIELD_OFFSET( DUMP_HEADER, Signature ) == 0 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, ValidDump ) == 4 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, MajorVersion ) == 8 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, MinorVersion ) == 0xc ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, DirectoryTableBase ) == 0x10 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, PfnDataBase ) == 0x18 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, PsLoadedModuleList ) == 0x20 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, PsActiveProcessHead ) == 0x28 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, MachineImageType ) == 0x30 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, NumberProcessors ) == 0x34 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckCode ) == 0x38 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter1 ) == 0x40 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter2 ) == 0x48 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter3 ) == 0x50 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, BugCheckParameter4 ) == 0x58 ); C_ASSERT( FIELD_OFFSET( DUMP_HEADER, KdDebuggerDataBlock ) == 0x80 ); extern KDDEBUGGER_DATA64 g_KdBlock;