Created
December 10, 2020 14:32
-
-
Save matterpreter/3f0e6aa99f1d68ac990c7c1e1904561c to your computer and use it in GitHub Desktop.
Win10 20H2 EPROCESS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| lkd> dt -b nt!_EPROCESS | |
| +0x000 Pcb : _KPROCESS | |
| +0x000 Header : _DISPATCHER_HEADER | |
| +0x000 Lock : Int4B | |
| +0x000 LockNV : Int4B | |
| +0x000 Type : UChar | |
| +0x001 Signalling : UChar | |
| +0x002 Size : UChar | |
| +0x003 Reserved1 : UChar | |
| +0x000 TimerType : UChar | |
| +0x001 TimerControlFlags : UChar | |
| +0x001 Absolute : Pos 0, 1 Bit | |
| +0x001 Wake : Pos 1, 1 Bit | |
| +0x001 EncodedTolerableDelay : Pos 2, 6 Bits | |
| +0x002 Hand : UChar | |
| +0x003 TimerMiscFlags : UChar | |
| +0x003 Index : Pos 0, 6 Bits | |
| +0x003 Inserted : Pos 6, 1 Bit | |
| +0x003 Expired : Pos 7, 1 Bit | |
| +0x000 Timer2Type : UChar | |
| +0x001 Timer2Flags : UChar | |
| +0x001 Timer2Inserted : Pos 0, 1 Bit | |
| +0x001 Timer2Expiring : Pos 1, 1 Bit | |
| +0x001 Timer2CancelPending : Pos 2, 1 Bit | |
| +0x001 Timer2SetPending : Pos 3, 1 Bit | |
| +0x001 Timer2Running : Pos 4, 1 Bit | |
| +0x001 Timer2Disabled : Pos 5, 1 Bit | |
| +0x001 Timer2ReservedFlags : Pos 6, 2 Bits | |
| +0x002 Timer2ComponentId : UChar | |
| +0x003 Timer2RelativeId : UChar | |
| +0x000 QueueType : UChar | |
| +0x001 QueueControlFlags : UChar | |
| +0x001 Abandoned : Pos 0, 1 Bit | |
| +0x001 DisableIncrement : Pos 1, 1 Bit | |
| +0x001 QueueReservedControlFlags : Pos 2, 6 Bits | |
| +0x002 QueueSize : UChar | |
| +0x003 QueueReserved : UChar | |
| +0x000 ThreadType : UChar | |
| +0x001 ThreadReserved : UChar | |
| +0x002 ThreadControlFlags : UChar | |
| +0x002 CycleProfiling : Pos 0, 1 Bit | |
| +0x002 CounterProfiling : Pos 1, 1 Bit | |
| +0x002 GroupScheduling : Pos 2, 1 Bit | |
| +0x002 AffinitySet : Pos 3, 1 Bit | |
| +0x002 Tagged : Pos 4, 1 Bit | |
| +0x002 EnergyProfiling : Pos 5, 1 Bit | |
| +0x002 SchedulerAssist : Pos 6, 1 Bit | |
| +0x002 ThreadReservedControlFlags : Pos 7, 1 Bit | |
| +0x003 DebugActive : UChar | |
| +0x003 ActiveDR7 : Pos 0, 1 Bit | |
| +0x003 Instrumented : Pos 1, 1 Bit | |
| +0x003 Minimal : Pos 2, 1 Bit | |
| +0x003 Reserved4 : Pos 3, 2 Bits | |
| +0x003 AltSyscall : Pos 5, 1 Bit | |
| +0x003 UmsScheduled : Pos 6, 1 Bit | |
| +0x003 UmsPrimary : Pos 7, 1 Bit | |
| +0x000 MutantType : UChar | |
| +0x001 MutantSize : UChar | |
| +0x002 DpcActive : UChar | |
| +0x003 MutantReserved : UChar | |
| +0x004 SignalState : Int4B | |
| +0x008 WaitListHead : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x018 ProfileListHead : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x028 DirectoryTableBase : Uint8B | |
| +0x030 ThreadListHead : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x040 ProcessLock : Uint4B | |
| +0x044 ProcessTimerDelay : Uint4B | |
| +0x048 DeepFreezeStartTime : Uint8B | |
| +0x050 Affinity : _KAFFINITY_EX | |
| +0x000 Count : Uint2B | |
| +0x002 Size : Uint2B | |
| +0x004 Reserved : Uint4B | |
| +0x008 Bitmap : Uint8B | |
| +0x0f8 AffinityPadding : Uint8B | |
| +0x158 ReadyListHead : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x168 SwapListEntry : _SINGLE_LIST_ENTRY | |
| +0x000 Next : Ptr64 | |
| +0x170 ActiveProcessors : _KAFFINITY_EX | |
| +0x000 Count : Uint2B | |
| +0x002 Size : Uint2B | |
| +0x004 Reserved : Uint4B | |
| +0x008 Bitmap : Uint8B | |
| +0x218 ActiveProcessorsPadding : Uint8B | |
| +0x278 AutoAlignment : Pos 0, 1 Bit | |
| +0x278 DisableBoost : Pos 1, 1 Bit | |
| +0x278 DisableQuantum : Pos 2, 1 Bit | |
| +0x278 DeepFreeze : Pos 3, 1 Bit | |
| +0x278 TimerVirtualization : Pos 4, 1 Bit | |
| +0x278 CheckStackExtents : Pos 5, 1 Bit | |
| +0x278 CacheIsolationEnabled : Pos 6, 1 Bit | |
| +0x278 PpmPolicy : Pos 7, 3 Bits | |
| +0x278 VaSpaceDeleted : Pos 10, 1 Bit | |
| +0x278 ReservedFlags : Pos 11, 21 Bits | |
| +0x278 ProcessFlags : Int4B | |
| +0x27c ActiveGroupsMask : Uint4B | |
| +0x280 BasePriority : Char | |
| +0x281 QuantumReset : Char | |
| +0x282 Visited : Char | |
| +0x283 Flags : _KEXECUTE_OPTIONS | |
| +0x000 ExecuteDisable : Pos 0, 1 Bit | |
| +0x000 ExecuteEnable : Pos 1, 1 Bit | |
| +0x000 DisableThunkEmulation : Pos 2, 1 Bit | |
| +0x000 Permanent : Pos 3, 1 Bit | |
| +0x000 ExecuteDispatchEnable : Pos 4, 1 Bit | |
| +0x000 ImageDispatchEnable : Pos 5, 1 Bit | |
| +0x000 DisableExceptionChainValidation : Pos 6, 1 Bit | |
| +0x000 Spare : Pos 7, 1 Bit | |
| +0x000 ExecuteOptions : UChar | |
| +0x000 ExecuteOptionsNV : UChar | |
| +0x284 ThreadSeed : Uint2B | |
| +0x2ac ThreadSeedPadding : Uint2B | |
| +0x2c4 IdealProcessor : Uint2B | |
| +0x2ec IdealProcessorPadding : Uint2B | |
| +0x304 IdealNode : Uint2B | |
| +0x32c IdealNodePadding : Uint2B | |
| +0x344 IdealGlobalNode : Uint2B | |
| +0x346 Spare1 : Uint2B | |
| +0x348 StackCount : _KSTACK_COUNT | |
| +0x000 Value : Int4B | |
| +0x000 State : Pos 0, 3 Bits | |
| +0x000 StackCount : Pos 3, 29 Bits | |
| +0x350 ProcessListEntry : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x360 CycleTime : Uint8B | |
| +0x368 ContextSwitches : Uint8B | |
| +0x370 SchedulingGroup : Ptr64 | |
| +0x378 FreezeCount : Uint4B | |
| +0x37c KernelTime : Uint4B | |
| +0x380 UserTime : Uint4B | |
| +0x384 ReadyTime : Uint4B | |
| +0x388 UserDirectoryTableBase : Uint8B | |
| +0x390 AddressPolicy : UChar | |
| +0x391 Spare2 : UChar | |
| +0x3d8 InstrumentationCallback : Ptr64 | |
| +0x3e0 SecureState : <anonymous-tag> | |
| +0x000 SecureHandle : Uint8B | |
| +0x000 Flags : <anonymous-tag> | |
| +0x000 SecureProcess : Pos 0, 1 Bit | |
| +0x000 Unused : Pos 1, 1 Bit | |
| +0x3e8 KernelWaitTime : Uint8B | |
| +0x3f0 UserWaitTime : Uint8B | |
| +0x3f8 EndPadding : Uint8B | |
| +0x438 ProcessLock : _EX_PUSH_LOCK | |
| +0x000 Locked : Pos 0, 1 Bit | |
| +0x000 Waiting : Pos 1, 1 Bit | |
| +0x000 Waking : Pos 2, 1 Bit | |
| +0x000 MultipleShared : Pos 3, 1 Bit | |
| +0x000 Shared : Pos 4, 60 Bits | |
| +0x000 Value : Uint8B | |
| +0x000 Ptr : Ptr64 | |
| +0x440 UniqueProcessId : Ptr64 | |
| +0x448 ActiveProcessLinks : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x458 RundownProtect : _EX_RUNDOWN_REF | |
| +0x000 Count : Uint8B | |
| +0x000 Ptr : Ptr64 | |
| +0x460 Flags2 : Uint4B | |
| +0x460 JobNotReallyActive : Pos 0, 1 Bit | |
| +0x460 AccountingFolded : Pos 1, 1 Bit | |
| +0x460 NewProcessReported : Pos 2, 1 Bit | |
| +0x460 ExitProcessReported : Pos 3, 1 Bit | |
| +0x460 ReportCommitChanges : Pos 4, 1 Bit | |
| +0x460 LastReportMemory : Pos 5, 1 Bit | |
| +0x460 ForceWakeCharge : Pos 6, 1 Bit | |
| +0x460 CrossSessionCreate : Pos 7, 1 Bit | |
| +0x460 NeedsHandleRundown : Pos 8, 1 Bit | |
| +0x460 RefTraceEnabled : Pos 9, 1 Bit | |
| +0x460 PicoCreated : Pos 10, 1 Bit | |
| +0x460 EmptyJobEvaluated : Pos 11, 1 Bit | |
| +0x460 DefaultPagePriority : Pos 12, 3 Bits | |
| +0x460 PrimaryTokenFrozen : Pos 15, 1 Bit | |
| +0x460 ProcessVerifierTarget : Pos 16, 1 Bit | |
| +0x460 RestrictSetThreadContext : Pos 17, 1 Bit | |
| +0x460 AffinityPermanent : Pos 18, 1 Bit | |
| +0x460 AffinityUpdateEnable : Pos 19, 1 Bit | |
| +0x460 PropagateNode : Pos 20, 1 Bit | |
| +0x460 ExplicitAffinity : Pos 21, 1 Bit | |
| +0x460 ProcessExecutionState : Pos 22, 2 Bits | |
| +0x460 EnableReadVmLogging : Pos 24, 1 Bit | |
| +0x460 EnableWriteVmLogging : Pos 25, 1 Bit | |
| +0x460 FatalAccessTerminationRequested : Pos 26, 1 Bit | |
| +0x460 DisableSystemAllowedCpuSet : Pos 27, 1 Bit | |
| +0x460 ProcessStateChangeRequest : Pos 28, 2 Bits | |
| +0x460 ProcessStateChangeInProgress : Pos 30, 1 Bit | |
| +0x460 InPrivate : Pos 31, 1 Bit | |
| +0x464 Flags : Uint4B | |
| +0x464 CreateReported : Pos 0, 1 Bit | |
| +0x464 NoDebugInherit : Pos 1, 1 Bit | |
| +0x464 ProcessExiting : Pos 2, 1 Bit | |
| +0x464 ProcessDelete : Pos 3, 1 Bit | |
| +0x464 ManageExecutableMemoryWrites : Pos 4, 1 Bit | |
| +0x464 VmDeleted : Pos 5, 1 Bit | |
| +0x464 OutswapEnabled : Pos 6, 1 Bit | |
| +0x464 Outswapped : Pos 7, 1 Bit | |
| +0x464 FailFastOnCommitFail : Pos 8, 1 Bit | |
| +0x464 Wow64VaSpace4Gb : Pos 9, 1 Bit | |
| +0x464 AddressSpaceInitialized : Pos 10, 2 Bits | |
| +0x464 SetTimerResolution : Pos 12, 1 Bit | |
| +0x464 BreakOnTermination : Pos 13, 1 Bit | |
| +0x464 DeprioritizeViews : Pos 14, 1 Bit | |
| +0x464 WriteWatch : Pos 15, 1 Bit | |
| +0x464 ProcessInSession : Pos 16, 1 Bit | |
| +0x464 OverrideAddressSpace : Pos 17, 1 Bit | |
| +0x464 HasAddressSpace : Pos 18, 1 Bit | |
| +0x464 LaunchPrefetched : Pos 19, 1 Bit | |
| +0x464 Background : Pos 20, 1 Bit | |
| +0x464 VmTopDown : Pos 21, 1 Bit | |
| +0x464 ImageNotifyDone : Pos 22, 1 Bit | |
| +0x464 PdeUpdateNeeded : Pos 23, 1 Bit | |
| +0x464 VdmAllowed : Pos 24, 1 Bit | |
| +0x464 ProcessRundown : Pos 25, 1 Bit | |
| +0x464 ProcessInserted : Pos 26, 1 Bit | |
| +0x464 DefaultIoPriority : Pos 27, 3 Bits | |
| +0x464 ProcessSelfDelete : Pos 30, 1 Bit | |
| +0x464 SetTimerResolutionLink : Pos 31, 1 Bit | |
| +0x468 CreateTime : _LARGE_INTEGER | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 u : <anonymous-tag> | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 QuadPart : Int8B | |
| +0x470 ProcessQuotaUsage : Uint8B | |
| +0x480 ProcessQuotaPeak : Uint8B | |
| +0x490 PeakVirtualSize : Uint8B | |
| +0x498 VirtualSize : Uint8B | |
| +0x4a0 SessionProcessLinks : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x4b0 ExceptionPortData : Ptr64 | |
| +0x4b0 ExceptionPortValue : Uint8B | |
| +0x4b0 ExceptionPortState : Pos 0, 3 Bits | |
| +0x4b8 Token : _EX_FAST_REF | |
| +0x000 Object : Ptr64 | |
| +0x000 RefCnt : Pos 0, 4 Bits | |
| +0x000 Value : Uint8B | |
| +0x4c0 MmReserved : Uint8B | |
| +0x4c8 AddressCreationLock : _EX_PUSH_LOCK | |
| +0x000 Locked : Pos 0, 1 Bit | |
| +0x000 Waiting : Pos 1, 1 Bit | |
| +0x000 Waking : Pos 2, 1 Bit | |
| +0x000 MultipleShared : Pos 3, 1 Bit | |
| +0x000 Shared : Pos 4, 60 Bits | |
| +0x000 Value : Uint8B | |
| +0x000 Ptr : Ptr64 | |
| +0x4d0 PageTableCommitmentLock : _EX_PUSH_LOCK | |
| +0x000 Locked : Pos 0, 1 Bit | |
| +0x000 Waiting : Pos 1, 1 Bit | |
| +0x000 Waking : Pos 2, 1 Bit | |
| +0x000 MultipleShared : Pos 3, 1 Bit | |
| +0x000 Shared : Pos 4, 60 Bits | |
| +0x000 Value : Uint8B | |
| +0x000 Ptr : Ptr64 | |
| +0x4d8 RotateInProgress : Ptr64 | |
| +0x4e0 ForkInProgress : Ptr64 | |
| +0x4e8 CommitChargeJob : Ptr64 | |
| +0x4f0 CloneRoot : _RTL_AVL_TREE | |
| +0x000 Root : Ptr64 | |
| +0x4f8 NumberOfPrivatePages : Uint8B | |
| +0x500 NumberOfLockedPages : Uint8B | |
| +0x508 Win32Process : Ptr64 | |
| +0x510 Job : Ptr64 | |
| +0x518 SectionObject : Ptr64 | |
| +0x520 SectionBaseAddress : Ptr64 | |
| +0x528 Cookie : Uint4B | |
| +0x530 WorkingSetWatch : Ptr64 | |
| +0x538 Win32WindowStation : Ptr64 | |
| +0x540 InheritedFromUniqueProcessId : Ptr64 | |
| +0x548 OwnerProcessId : Uint8B | |
| +0x550 Peb : Ptr64 | |
| +0x558 Session : Ptr64 | |
| +0x560 Spare1 : Ptr64 | |
| +0x568 QuotaBlock : Ptr64 | |
| +0x570 ObjectTable : Ptr64 | |
| +0x578 DebugPort : Ptr64 | |
| +0x580 WoW64Process : Ptr64 | |
| +0x588 DeviceMap : Ptr64 | |
| +0x590 EtwDataSource : Ptr64 | |
| +0x598 PageDirectoryPte : Uint8B | |
| +0x5a0 ImageFilePointer : Ptr64 | |
| +0x5a8 ImageFileName : UChar | |
| +0x5b7 PriorityClass : UChar | |
| +0x5b8 SecurityPort : Ptr64 | |
| +0x5c0 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO | |
| +0x000 ImageFileName : Ptr64 | |
| +0x5c8 JobLinks : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x5d8 HighestUserAddress : Ptr64 | |
| +0x5e0 ThreadListHead : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x5f0 ActiveThreads : Uint4B | |
| +0x5f4 ImagePathHash : Uint4B | |
| +0x5f8 DefaultHardErrorProcessing : Uint4B | |
| +0x5fc LastThreadExitStatus : Int4B | |
| +0x600 PrefetchTrace : _EX_FAST_REF | |
| +0x000 Object : Ptr64 | |
| +0x000 RefCnt : Pos 0, 4 Bits | |
| +0x000 Value : Uint8B | |
| +0x608 LockedPagesList : Ptr64 | |
| +0x610 ReadOperationCount : _LARGE_INTEGER | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 u : <anonymous-tag> | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 QuadPart : Int8B | |
| +0x618 WriteOperationCount : _LARGE_INTEGER | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 u : <anonymous-tag> | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 QuadPart : Int8B | |
| +0x620 OtherOperationCount : _LARGE_INTEGER | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 u : <anonymous-tag> | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 QuadPart : Int8B | |
| +0x628 ReadTransferCount : _LARGE_INTEGER | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 u : <anonymous-tag> | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 QuadPart : Int8B | |
| +0x630 WriteTransferCount : _LARGE_INTEGER | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 u : <anonymous-tag> | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 QuadPart : Int8B | |
| +0x638 OtherTransferCount : _LARGE_INTEGER | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 u : <anonymous-tag> | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 QuadPart : Int8B | |
| +0x640 CommitChargeLimit : Uint8B | |
| +0x648 CommitCharge : Uint8B | |
| +0x650 CommitChargePeak : Uint8B | |
| +0x680 Vm : _MMSUPPORT_FULL | |
| +0x000 Instance : _MMSUPPORT_INSTANCE | |
| +0x000 NextPageColor : Uint4B | |
| +0x004 PageFaultCount : Uint4B | |
| +0x008 TrimmedPageCount : Uint8B | |
| +0x010 VmWorkingSetList : Ptr64 | |
| +0x018 WorkingSetExpansionLinks : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x028 AgeDistribution : Uint8B | |
| +0x068 ExitOutswapGate : Ptr64 | |
| +0x070 MinimumWorkingSetSize : Uint8B | |
| +0x078 WorkingSetLeafSize : Uint8B | |
| +0x080 WorkingSetLeafPrivateSize : Uint8B | |
| +0x088 WorkingSetSize : Uint8B | |
| +0x090 WorkingSetPrivateSize : Uint8B | |
| +0x098 MaximumWorkingSetSize : Uint8B | |
| +0x0a0 PeakWorkingSetSize : Uint8B | |
| +0x0a8 HardFaultCount : Uint4B | |
| +0x0ac LastTrimStamp : Uint2B | |
| +0x0ae PartitionId : Uint2B | |
| +0x0b0 SelfmapLock : Uint8B | |
| +0x0b8 Flags : _MMSUPPORT_FLAGS | |
| +0x000 WorkingSetType : Pos 0, 3 Bits | |
| +0x000 Reserved0 : Pos 3, 3 Bits | |
| +0x000 MaximumWorkingSetHard : Pos 6, 1 Bit | |
| +0x000 MinimumWorkingSetHard : Pos 7, 1 Bit | |
| +0x001 SessionMaster : Pos 0, 1 Bit | |
| +0x001 TrimmerState : Pos 1, 2 Bits | |
| +0x001 Reserved : Pos 3, 1 Bit | |
| +0x001 PageStealers : Pos 4, 4 Bits | |
| +0x000 u1 : Uint2B | |
| +0x002 MemoryPriority : UChar | |
| +0x003 WsleDeleted : Pos 0, 1 Bit | |
| +0x003 SvmEnabled : Pos 1, 1 Bit | |
| +0x003 ForceAge : Pos 2, 1 Bit | |
| +0x003 ForceTrim : Pos 3, 1 Bit | |
| +0x003 NewMaximum : Pos 4, 1 Bit | |
| +0x003 CommitReleaseState : Pos 5, 2 Bits | |
| +0x003 u2 : UChar | |
| +0x0c0 Shared : _MMSUPPORT_SHARED | |
| +0x000 WorkingSetLock : Int4B | |
| +0x004 GoodCitizenWaiting : Int4B | |
| +0x008 ReleasedCommitDebt : Uint8B | |
| +0x010 ResetPagesRepurposedCount : Uint8B | |
| +0x018 WsSwapSupport : Ptr64 | |
| +0x020 CommitReleaseContext : Ptr64 | |
| +0x028 AccessLog : Ptr64 | |
| +0x030 ChargedWslePages : Uint8B | |
| +0x038 ActualWslePages : Uint8B | |
| +0x040 WorkingSetCoreLock : Uint8B | |
| +0x048 ShadowMapping : Ptr64 | |
| +0x7c0 MmProcessLinks : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x7d0 ModifiedPageCount : Uint4B | |
| +0x7d4 ExitStatus : Int4B | |
| +0x7d8 VadRoot : _RTL_AVL_TREE | |
| +0x000 Root : Ptr64 | |
| +0x7e0 VadHint : Ptr64 | |
| +0x7e8 VadCount : Uint8B | |
| +0x7f0 VadPhysicalPages : Uint8B | |
| +0x7f8 VadPhysicalPagesLimit : Uint8B | |
| +0x800 AlpcContext : _ALPC_PROCESS_CONTEXT | |
| +0x000 Lock : _EX_PUSH_LOCK | |
| +0x000 Locked : Pos 0, 1 Bit | |
| +0x000 Waiting : Pos 1, 1 Bit | |
| +0x000 Waking : Pos 2, 1 Bit | |
| +0x000 MultipleShared : Pos 3, 1 Bit | |
| +0x000 Shared : Pos 4, 60 Bits | |
| +0x000 Value : Uint8B | |
| +0x000 Ptr : Ptr64 | |
| +0x008 ViewListHead : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x018 PagedPoolQuotaCache : Uint8B | |
| +0x820 TimerResolutionLink : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x830 TimerResolutionStackRecord : Ptr64 | |
| +0x838 RequestedTimerResolution : Uint4B | |
| +0x83c SmallestTimerResolution : Uint4B | |
| +0x840 ExitTime : _LARGE_INTEGER | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 u : <anonymous-tag> | |
| +0x000 LowPart : Uint4B | |
| +0x004 HighPart : Int4B | |
| +0x000 QuadPart : Int8B | |
| +0x848 InvertedFunctionTable : Ptr64 | |
| +0x850 InvertedFunctionTableLock : _EX_PUSH_LOCK | |
| +0x000 Locked : Pos 0, 1 Bit | |
| +0x000 Waiting : Pos 1, 1 Bit | |
| +0x000 Waking : Pos 2, 1 Bit | |
| +0x000 MultipleShared : Pos 3, 1 Bit | |
| +0x000 Shared : Pos 4, 60 Bits | |
| +0x000 Value : Uint8B | |
| +0x000 Ptr : Ptr64 | |
| +0x858 ActiveThreadsHighWatermark : Uint4B | |
| +0x85c LargePrivateVadCount : Uint4B | |
| +0x860 ThreadListLock : _EX_PUSH_LOCK | |
| +0x000 Locked : Pos 0, 1 Bit | |
| +0x000 Waiting : Pos 1, 1 Bit | |
| +0x000 Waking : Pos 2, 1 Bit | |
| +0x000 MultipleShared : Pos 3, 1 Bit | |
| +0x000 Shared : Pos 4, 60 Bits | |
| +0x000 Value : Uint8B | |
| +0x000 Ptr : Ptr64 | |
| +0x868 WnfContext : Ptr64 | |
| +0x870 ServerSilo : Ptr64 | |
| +0x878 SignatureLevel : UChar | |
| +0x879 SectionSignatureLevel : UChar | |
| +0x87a Protection : _PS_PROTECTION | |
| +0x000 Level : UChar | |
| +0x000 Type : Pos 0, 3 Bits | |
| +0x000 Audit : Pos 3, 1 Bit | |
| +0x000 Signer : Pos 4, 4 Bits | |
| +0x87b HangCount : Pos 0, 3 Bits | |
| +0x87b GhostCount : Pos 3, 3 Bits | |
| +0x87b PrefilterException : Pos 6, 1 Bit | |
| +0x87c Flags3 : Uint4B | |
| +0x87c Minimal : Pos 0, 1 Bit | |
| +0x87c ReplacingPageRoot : Pos 1, 1 Bit | |
| +0x87c Crashed : Pos 2, 1 Bit | |
| +0x87c JobVadsAreTracked : Pos 3, 1 Bit | |
| +0x87c VadTrackingDisabled : Pos 4, 1 Bit | |
| +0x87c AuxiliaryProcess : Pos 5, 1 Bit | |
| +0x87c SubsystemProcess : Pos 6, 1 Bit | |
| +0x87c IndirectCpuSets : Pos 7, 1 Bit | |
| +0x87c RelinquishedCommit : Pos 8, 1 Bit | |
| +0x87c HighGraphicsPriority : Pos 9, 1 Bit | |
| +0x87c CommitFailLogged : Pos 10, 1 Bit | |
| +0x87c ReserveFailLogged : Pos 11, 1 Bit | |
| +0x87c SystemProcess : Pos 12, 1 Bit | |
| +0x87c HideImageBaseAddresses : Pos 13, 1 Bit | |
| +0x87c AddressPolicyFrozen : Pos 14, 1 Bit | |
| +0x87c ProcessFirstResume : Pos 15, 1 Bit | |
| +0x87c ForegroundExternal : Pos 16, 1 Bit | |
| +0x87c ForegroundSystem : Pos 17, 1 Bit | |
| +0x87c HighMemoryPriority : Pos 18, 1 Bit | |
| +0x87c EnableProcessSuspendResumeLogging : Pos 19, 1 Bit | |
| +0x87c EnableThreadSuspendResumeLogging : Pos 20, 1 Bit | |
| +0x87c SecurityDomainChanged : Pos 21, 1 Bit | |
| +0x87c SecurityFreezeComplete : Pos 22, 1 Bit | |
| +0x87c VmProcessorHost : Pos 23, 1 Bit | |
| +0x87c VmProcessorHostTransition : Pos 24, 1 Bit | |
| +0x87c AltSyscall : Pos 25, 1 Bit | |
| +0x87c TimerResolutionIgnore : Pos 26, 1 Bit | |
| +0x87c DisallowUserTerminate : Pos 27, 1 Bit | |
| +0x880 DeviceAsid : Int4B | |
| +0x888 SvmData : Ptr64 | |
| +0x890 SvmProcessLock : _EX_PUSH_LOCK | |
| +0x000 Locked : Pos 0, 1 Bit | |
| +0x000 Waiting : Pos 1, 1 Bit | |
| +0x000 Waking : Pos 2, 1 Bit | |
| +0x000 MultipleShared : Pos 3, 1 Bit | |
| +0x000 Shared : Pos 4, 60 Bits | |
| +0x000 Value : Uint8B | |
| +0x000 Ptr : Ptr64 | |
| +0x898 SvmLock : Uint8B | |
| +0x8a0 SvmProcessDeviceListHead : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x8b0 LastFreezeInterruptTime : Uint8B | |
| +0x8b8 DiskCounters : Ptr64 | |
| +0x8c0 PicoContext : Ptr64 | |
| +0x8c8 EnclaveTable : Ptr64 | |
| +0x8d0 EnclaveNumber : Uint8B | |
| +0x8d8 EnclaveLock : _EX_PUSH_LOCK | |
| +0x000 Locked : Pos 0, 1 Bit | |
| +0x000 Waiting : Pos 1, 1 Bit | |
| +0x000 Waking : Pos 2, 1 Bit | |
| +0x000 MultipleShared : Pos 3, 1 Bit | |
| +0x000 Shared : Pos 4, 60 Bits | |
| +0x000 Value : Uint8B | |
| +0x000 Ptr : Ptr64 | |
| +0x8e0 HighPriorityFaultsAllowed : Uint4B | |
| +0x8e8 EnergyContext : Ptr64 | |
| +0x8f0 VmContext : Ptr64 | |
| +0x8f8 SequenceNumber : Uint8B | |
| +0x900 CreateInterruptTime : Uint8B | |
| +0x908 CreateUnbiasedInterruptTime : Uint8B | |
| +0x910 TotalUnbiasedFrozenTime : Uint8B | |
| +0x918 LastAppStateUpdateTime : Uint8B | |
| +0x920 LastAppStateUptime : Pos 0, 61 Bits | |
| +0x920 LastAppState : Pos 61, 3 Bits | |
| +0x928 SharedCommitCharge : Uint8B | |
| +0x930 SharedCommitLock : _EX_PUSH_LOCK | |
| +0x000 Locked : Pos 0, 1 Bit | |
| +0x000 Waiting : Pos 1, 1 Bit | |
| +0x000 Waking : Pos 2, 1 Bit | |
| +0x000 MultipleShared : Pos 3, 1 Bit | |
| +0x000 Shared : Pos 4, 60 Bits | |
| +0x000 Value : Uint8B | |
| +0x000 Ptr : Ptr64 | |
| +0x938 SharedCommitLinks : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x948 AllowedCpuSets : Uint8B | |
| +0x950 DefaultCpuSets : Uint8B | |
| +0x948 AllowedCpuSetsIndirect : Ptr64 | |
| +0x950 DefaultCpuSetsIndirect : Ptr64 | |
| +0x958 DiskIoAttribution : Ptr64 | |
| +0x960 DxgProcess : Ptr64 | |
| +0x968 Win32KFilterSet : Uint4B | |
| +0x970 ProcessTimerDelay : _PS_INTERLOCKED_TIMER_DELAY_VALUES | |
| +0x000 DelayMs : Pos 0, 30 Bits | |
| +0x000 CoalescingWindowMs : Pos 30, 30 Bits | |
| +0x000 Reserved : Pos 60, 1 Bit | |
| +0x000 NewTimerWheel : Pos 61, 1 Bit | |
| +0x000 Retry : Pos 62, 1 Bit | |
| +0x000 Locked : Pos 63, 1 Bit | |
| +0x000 All : Uint8B | |
| +0x978 KTimerSets : Uint4B | |
| +0x97c KTimer2Sets : Uint4B | |
| +0x980 ThreadTimerSets : Uint4B | |
| +0x988 VirtualTimerListLock : Uint8B | |
| +0x990 VirtualTimerListHead : _LIST_ENTRY | |
| +0x000 Flink : Ptr64 | |
| +0x008 Blink : Ptr64 | |
| +0x9a0 WakeChannel : _WNF_STATE_NAME | |
| +0x000 Data : Uint4B | |
| +0x9a0 WakeInfo : _PS_PROCESS_WAKE_INFORMATION | |
| +0x000 NotificationChannel : Uint8B | |
| +0x008 WakeCounters : Uint4B | |
| +0x024 WakeFilter : _JOBOBJECT_WAKE_FILTER | |
| +0x000 HighEdgeFilter : Uint4B | |
| +0x004 LowEdgeFilter : Uint4B | |
| +0x02c NoWakeCounter : Uint4B | |
| +0x9d0 MitigationFlags : Uint4B | |
| +0x9d0 MitigationFlagsValues : <anonymous-tag> | |
| +0x000 ControlFlowGuardEnabled : Pos 0, 1 Bit | |
| +0x000 ControlFlowGuardExportSuppressionEnabled : Pos 1, 1 Bit | |
| +0x000 ControlFlowGuardStrict : Pos 2, 1 Bit | |
| +0x000 DisallowStrippedImages : Pos 3, 1 Bit | |
| +0x000 ForceRelocateImages : Pos 4, 1 Bit | |
| +0x000 HighEntropyASLREnabled : Pos 5, 1 Bit | |
| +0x000 StackRandomizationDisabled : Pos 6, 1 Bit | |
| +0x000 ExtensionPointDisable : Pos 7, 1 Bit | |
| +0x000 DisableDynamicCode : Pos 8, 1 Bit | |
| +0x000 DisableDynamicCodeAllowOptOut : Pos 9, 1 Bit | |
| +0x000 DisableDynamicCodeAllowRemoteDowngrade : Pos 10, 1 Bit | |
| +0x000 AuditDisableDynamicCode : Pos 11, 1 Bit | |
| +0x000 DisallowWin32kSystemCalls : Pos 12, 1 Bit | |
| +0x000 AuditDisallowWin32kSystemCalls : Pos 13, 1 Bit | |
| +0x000 EnableFilteredWin32kAPIs : Pos 14, 1 Bit | |
| +0x000 AuditFilteredWin32kAPIs : Pos 15, 1 Bit | |
| +0x000 DisableNonSystemFonts : Pos 16, 1 Bit | |
| +0x000 AuditNonSystemFontLoading : Pos 17, 1 Bit | |
| +0x000 PreferSystem32Images : Pos 18, 1 Bit | |
| +0x000 ProhibitRemoteImageMap : Pos 19, 1 Bit | |
| +0x000 AuditProhibitRemoteImageMap : Pos 20, 1 Bit | |
| +0x000 ProhibitLowILImageMap : Pos 21, 1 Bit | |
| +0x000 AuditProhibitLowILImageMap : Pos 22, 1 Bit | |
| +0x000 SignatureMitigationOptIn : Pos 23, 1 Bit | |
| +0x000 AuditBlockNonMicrosoftBinaries : Pos 24, 1 Bit | |
| +0x000 AuditBlockNonMicrosoftBinariesAllowStore : Pos 25, 1 Bit | |
| +0x000 LoaderIntegrityContinuityEnabled : Pos 26, 1 Bit | |
| +0x000 AuditLoaderIntegrityContinuity : Pos 27, 1 Bit | |
| +0x000 EnableModuleTamperingProtection : Pos 28, 1 Bit | |
| +0x000 EnableModuleTamperingProtectionNoInherit : Pos 29, 1 Bit | |
| +0x000 RestrictIndirectBranchPrediction : Pos 30, 1 Bit | |
| +0x000 IsolateSecurityDomain : Pos 31, 1 Bit | |
| +0x9d4 MitigationFlags2 : Uint4B | |
| +0x9d4 MitigationFlags2Values : <anonymous-tag> | |
| +0x000 EnableExportAddressFilter : Pos 0, 1 Bit | |
| +0x000 AuditExportAddressFilter : Pos 1, 1 Bit | |
| +0x000 EnableExportAddressFilterPlus : Pos 2, 1 Bit | |
| +0x000 AuditExportAddressFilterPlus : Pos 3, 1 Bit | |
| +0x000 EnableRopStackPivot : Pos 4, 1 Bit | |
| +0x000 AuditRopStackPivot : Pos 5, 1 Bit | |
| +0x000 EnableRopCallerCheck : Pos 6, 1 Bit | |
| +0x000 AuditRopCallerCheck : Pos 7, 1 Bit | |
| +0x000 EnableRopSimExec : Pos 8, 1 Bit | |
| +0x000 AuditRopSimExec : Pos 9, 1 Bit | |
| +0x000 EnableImportAddressFilter : Pos 10, 1 Bit | |
| +0x000 AuditImportAddressFilter : Pos 11, 1 Bit | |
| +0x000 DisablePageCombine : Pos 12, 1 Bit | |
| +0x000 SpeculativeStoreBypassDisable : Pos 13, 1 Bit | |
| +0x000 CetUserShadowStacks : Pos 14, 1 Bit | |
| +0x000 AuditCetUserShadowStacks : Pos 15, 1 Bit | |
| +0x000 AuditCetUserShadowStacksLogged : Pos 16, 1 Bit | |
| +0x000 UserCetSetContextIpValidation : Pos 17, 1 Bit | |
| +0x000 AuditUserCetSetContextIpValidation : Pos 18, 1 Bit | |
| +0x000 AuditUserCetSetContextIpValidationLogged : Pos 19, 1 Bit | |
| +0x9d8 PartitionObject : Ptr64 | |
| +0x9e0 SecurityDomain : Uint8B | |
| +0x9e8 ParentSecurityDomain : Uint8B | |
| +0x9f0 CoverageSamplerContext : Ptr64 | |
| +0x9f8 MmHotPatchContext : Ptr64 | |
| +0xa00 DynamicEHContinuationTargetsTree : _RTL_AVL_TREE | |
| +0x000 Root : Ptr64 | |
| +0xa08 DynamicEHContinuationTargetsLock : _EX_PUSH_LOCK | |
| +0x000 Locked : Pos 0, 1 Bit | |
| +0x000 Waiting : Pos 1, 1 Bit | |
| +0x000 Waking : Pos 2, 1 Bit | |
| +0x000 MultipleShared : Pos 3, 1 Bit | |
| +0x000 Shared : Pos 4, 60 Bits | |
| +0x000 Value : Uint8B | |
| +0x000 Ptr : Ptr64 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment