ksx.template.h

Go to the documentation of this file.

 
 
HEADER("Pointer size"),
SIZE(SizeofPointer, PVOID),
 
HEADER("Bug Check Codes"),
CONSTANT(APC_INDEX_MISMATCH),
CONSTANT(INVALID_AFFINITY_SET),
CONSTANT(INVALID_DATA_ACCESS_TRAP),
CONSTANT(IRQL_NOT_GREATER_OR_EQUAL),
CONSTANT(IRQL_NOT_LESS_OR_EQUAL), // 0x0a
CONSTANT(NO_USER_MODE_CONTEXT), // 0x0e
CONSTANT(SPIN_LOCK_ALREADY_OWNED), // 0x0f
CONSTANT(SPIN_LOCK_NOT_OWNED), // 0x10
CONSTANT(THREAD_NOT_MUTEX_OWNER), // 0x11
CONSTANT(TRAP_CAUSE_UNKNOWN), // 0x12
CONSTANT(KMODE_EXCEPTION_NOT_HANDLED), // 0x1e
CONSTANT(KERNEL_APC_PENDING_DURING_EXIT), // 0x20
CONSTANT(PANIC_STACK_SWITCH), // 0x2b
CONSTANT(DATA_BUS_ERROR), // 0x2e
CONSTANT(INSTRUCTION_BUS_ERROR), // 0x2f
CONSTANT(SYSTEM_EXIT_OWNED_MUTEX), // 0x39
//CONSTANT(SYSTEM_UNWIND_PREVIOUS_USER), // 0x3a
//CONSTANT(SYSTEM_SERVICE_EXCEPTION), // 0x3b
//CONSTANT(INTERRUPT_UNWIND_ATTEMPTED), // 0x3c
//CONSTANT(INTERRUPT_EXCEPTION_NOT_HANDLED), // 0x3d
CONSTANT(PAGE_FAULT_WITH_INTERRUPTS_OFF), // 0x49
CONSTANT(IRQL_GT_ZERO_AT_SYSTEM_SERVICE), // 0x4a
CONSTANT(DATA_COHERENCY_EXCEPTION), // 0x55
CONSTANT(INSTRUCTION_COHERENCY_EXCEPTION), // 0x56
CONSTANT(HAL1_INITIALIZATION_FAILED), // 0x61
CONSTANT(UNEXPECTED_KERNEL_MODE_TRAP), // 0x7f
CONSTANT(NMI_HARDWARE_FAILURE), // 0x80
CONSTANT(SPIN_LOCK_INIT_FAILURE), // 0x81
CONSTANT(ATTEMPTED_SWITCH_FROM_DPC), // 0xb8
//CONSTANT(MUTEX_ALREADY_OWNED), // 0xbf
//CONSTANT(HARDWARE_INTERRUPT_STORM), // 0xf2
//CONSTANT(RECURSIVE_MACHINE_CHECK), // 0xfb
//CONSTANT(RECURSIVE_NMI), // 0x111
CONSTANT(KERNEL_SECURITY_CHECK_FAILURE), // 0x139
//CONSTANT(UNSUPPORTED_INSTRUCTION_MODE), // 0x151
//CONSTANT(BUGCHECK_CONTEXT_MODIFIER), // 0x80000000
//CONSTANT(INVALID_CALLBACK_STACK_ADDRESS),
//CONSTANT(INVALID_KERNEL_STACK_ADDRESS),
 
HEADER("Breakpoints"),
CONSTANT(BREAKPOINT_BREAK),
CONSTANT(BREAKPOINT_PRINT),
CONSTANT(BREAKPOINT_PROMPT),
CONSTANT(BREAKPOINT_LOAD_SYMBOLS),
CONSTANT(BREAKPOINT_UNLOAD_SYMBOLS),
CONSTANT(BREAKPOINT_COMMAND_STRING),
 
HEADER("Context Frame Flags"),
CONSTANT(CONTEXT_FULL),
CONSTANT(CONTEXT_CONTROL),
CONSTANT(CONTEXT_INTEGER),
CONSTANT(CONTEXT_FLOATING_POINT),
CONSTANT(CONTEXT_DEBUG_REGISTERS),
#if defined(_M_IX86) || defined(_M_AMD64)
CONSTANT(CONTEXT_SEGMENTS),
#endif
 
HEADER("Exception flags"),
CONSTANT(EXCEPTION_NONCONTINUABLE),
CONSTANT(EXCEPTION_UNWINDING),
CONSTANT(EXCEPTION_EXIT_UNWIND),
CONSTANT(EXCEPTION_STACK_INVALID),
CONSTANT(EXCEPTION_NESTED_CALL),
CONSTANT(EXCEPTION_TARGET_UNWIND),
CONSTANT(EXCEPTION_COLLIDED_UNWIND),
CONSTANT(EXCEPTION_UNWIND),
CONSTANT(EXCEPTION_EXECUTE_HANDLER),
CONSTANT(EXCEPTION_CONTINUE_SEARCH),
CONSTANT(EXCEPTION_CONTINUE_EXECUTION),
#ifdef _X86_
CONSTANT(EXCEPTION_CHAIN_END),
//CONSTANT(FIXED_NTVDMSTATE_LINEAR), /// FIXME ???
#endif
 
HEADER("Exception types"),
CONSTANT(ExceptionContinueExecution),
CONSTANT(ExceptionContinueSearch),
CONSTANT(ExceptionNestedException),
CONSTANT(ExceptionCollidedUnwind),
 
HEADER("Fast Fail Constants"),
CONSTANT(FAST_FAIL_GUARD_ICALL_CHECK_FAILURE),
//CONSTANT(FAST_FAIL_INVALID_BUFFER_ACCESS),
#ifdef _M_ASM64
CONSTANT(FAST_FAIL_INVALID_JUMP_BUFFER),
CONSTANT(FAST_FAIL_INVALID_SET_OF_CONTEXT),
#endif // _M_ASM64
//CONSTANT(FAST_FAIL_INVALID_NEXT_THREAD),
//CONSTANT(FAST_FAIL_INVALID_CONTROL_STACK),
//CONSTANT(FAST_FAIL_SET_CONTEXT_DENIED),
//CONSTANT(FAST_FAIL_ENCLAVE_CALL_FAILURE),
//CONSTANT(FAST_FAIL_GUARD_SS_FAILURE),
 
HEADER("Interrupt object types"),
CONSTANTX(InLevelSensitive, LevelSensitive),
CONSTANTX(InLatched, Latched),
 
HEADER("IPI"),
#ifndef _M_AMD64
CONSTANT(IPI_APC),
CONSTANT(IPI_DPC),
CONSTANT(IPI_FREEZE),
CONSTANT(IPI_PACKET_READY),
#endif // _M_AMD64
#ifdef _M_IX86
CONSTANT(IPI_SYNCH_REQUEST),
#endif // _M_IX86
 
HEADER("IRQL"),
CONSTANT(PASSIVE_LEVEL),
CONSTANT(APC_LEVEL),
CONSTANT(DISPATCH_LEVEL),
#ifdef _M_AMD64
CONSTANT(CLOCK_LEVEL),
#elif defined(_M_IX86)
CONSTANT(CLOCK1_LEVEL),
CONSTANT(CLOCK2_LEVEL),
#endif
CONSTANT(IPI_LEVEL),
CONSTANT(POWER_LEVEL),
CONSTANT(PROFILE_LEVEL),
CONSTANT(HIGH_LEVEL),
 
RAW("#ifndef CONFIG_SMP"),
CONSTANTX(SYNCH_LEVEL, DISPATCH_LEVEL),
RAW("#else"),
#if defined(_M_IX86) && (NTDDI_VERSION < NTDDI_WS03)
CONSTANTX(SYNCH_LEVEL, (IPI_LEVEL - 1)),
#else
CONSTANTX(SYNCH_LEVEL, (IPI_LEVEL - 2)),
#endif
RAW("#endif"),
 
#if (NTDDI_VERSION >= NTDDI_WIN8)
HEADER("Entropy Timing Constants"),
CONSTANT(KENTROPY_TIMING_INTERRUPTS_PER_BUFFER),
CONSTANT(KENTROPY_TIMING_BUFFER_MASK),
CONSTANT(KENTROPY_TIMING_ANALYSIS),
#endif
 
HEADER("Lock Queue"),
CONSTANT(LOCK_QUEUE_WAIT),
CONSTANT(LOCK_QUEUE_OWNER),
CONSTANT(LockQueueDispatcherLock), 
 
//HEADER("Performance Definitions"),
//CONSTANT(PERF_CONTEXTSWAP_OFFSET),
//CONSTANT(PERF_CONTEXTSWAP_FLAG),
//CONSTANT(PERF_INTERRUPT_OFFSET),
//CONSTANT(PERF_INTERRUPT_FLAG),
//CONSTANT(PERF_SYSCALL_OFFSET),
//CONSTANT(PERF_SYSCALL_FLAG),
#ifndef _M_ARM
//CONSTANT(PERF_PROFILE_OFFSET), /// FIXE: obsolete
//CONSTANT(PERF_PROFILE_FLAG), /// FIXE: obsolete
//CONSTANT(PERF_SPINLOCK_OFFSET), /// FIXE: obsolete
//CONSTANT(PERF_SPINLOCK_FLAG), /// FIXE: obsolete
#endif
#ifdef _M_IX86
//CONSTANT(PERF_IPI_OFFSET), // 00008H
//CONSTANT(PERF_IPI_FLAG), // 0400000H
//CONSTANT(PERF_IPI), // 040400000H
#endif
//CONSTANT(PERF_INTERRUPT), // 020004000H//CONSTANT(NTOS_YIELD_MACRO),
 
HEADER("Process states"),
CONSTANT(ProcessInMemory),
CONSTANT(ProcessOutOfMemory),
CONSTANT(ProcessInTransition),
 
HEADER("Processor mode"),
CONSTANT(KernelMode),
CONSTANT(UserMode),
 
HEADER("Service Table Constants"),
CONSTANT(NUMBER_SERVICE_TABLES),
CONSTANT(SERVICE_NUMBER_MASK),
CONSTANT(SERVICE_TABLE_SHIFT),
CONSTANT(SERVICE_TABLE_MASK),
CONSTANT(SERVICE_TABLE_TEST),
 
HEADER("Status codes"),
CONSTANT(STATUS_ACCESS_VIOLATION),
CONSTANT(STATUS_ASSERTION_FAILURE),
CONSTANT(STATUS_ARRAY_BOUNDS_EXCEEDED),
CONSTANT(STATUS_BAD_COMPRESSION_BUFFER),
CONSTANT(STATUS_BREAKPOINT),
CONSTANT(STATUS_CALLBACK_POP_STACK),
CONSTANT(STATUS_DATATYPE_MISALIGNMENT),
CONSTANT(STATUS_FLOAT_DENORMAL_OPERAND),
CONSTANT(STATUS_FLOAT_DIVIDE_BY_ZERO),
CONSTANT(STATUS_FLOAT_INEXACT_RESULT),
CONSTANT(STATUS_FLOAT_INVALID_OPERATION),
CONSTANT(STATUS_FLOAT_OVERFLOW),
CONSTANT(STATUS_FLOAT_STACK_CHECK),
CONSTANT(STATUS_FLOAT_UNDERFLOW),
CONSTANT(STATUS_FLOAT_MULTIPLE_FAULTS),
CONSTANT(STATUS_FLOAT_MULTIPLE_TRAPS),
CONSTANT(STATUS_GUARD_PAGE_VIOLATION),
CONSTANT(STATUS_ILLEGAL_FLOAT_CONTEXT),
CONSTANT(STATUS_ILLEGAL_INSTRUCTION),
CONSTANT(STATUS_INSTRUCTION_MISALIGNMENT),
CONSTANT(STATUS_INVALID_HANDLE),
CONSTANT(STATUS_INVALID_LOCK_SEQUENCE),
CONSTANT(STATUS_INVALID_OWNER),
CONSTANT(STATUS_INVALID_PARAMETER),
CONSTANT(STATUS_INVALID_PARAMETER_1),
CONSTANT(STATUS_INVALID_SYSTEM_SERVICE),
//CONSTANT(STATUS_INVALID_THREAD),
CONSTANT(STATUS_INTEGER_DIVIDE_BY_ZERO),
CONSTANT(STATUS_INTEGER_OVERFLOW),
CONSTANT(STATUS_IN_PAGE_ERROR),
CONSTANT(STATUS_KERNEL_APC),
CONSTANT(STATUS_LONGJUMP),
CONSTANT(STATUS_NO_CALLBACK_ACTIVE),
#ifndef _M_ARM
CONSTANT(STATUS_NO_EVENT_PAIR), 
#endif
CONSTANT(STATUS_PRIVILEGED_INSTRUCTION),
CONSTANT(STATUS_SINGLE_STEP),
CONSTANT(STATUS_STACK_BUFFER_OVERRUN),
CONSTANT(STATUS_STACK_OVERFLOW),
CONSTANT(STATUS_SUCCESS),
CONSTANT(STATUS_THREAD_IS_TERMINATING),
CONSTANT(STATUS_TIMEOUT),
CONSTANT(STATUS_UNWIND),
CONSTANT(STATUS_UNWIND_CONSOLIDATE),
CONSTANT(STATUS_USER_APC),
CONSTANT(STATUS_WAKE_SYSTEM),
CONSTANT(STATUS_WAKE_SYSTEM_DEBUGGER),
//CONSTANT(STATUS_SET_CONTEXT_DENIED),
 
//HEADER("Thread flags"),
//CONSTANT(THREAD_FLAGS_CYCLE_PROFILING),
//CONSTANT(THREAD_FLAGS_CYCLE_PROFILING_LOCK_BIT),
//CONSTANT(THREAD_FLAGS_CYCLE_PROFILING_LOCK),
//CONSTANT(THREAD_FLAGS_COUNTER_PROFILING),
//CONSTANT(THREAD_FLAGS_COUNTER_PROFILING_LOCK_BIT),
//CONSTANT(THREAD_FLAGS_COUNTER_PROFILING_LOCK),
//CONSTANT(THREAD_FLAGS_CPU_THROTTLED), /// FIXME: obsolete
//CONSTANT(THREAD_FLAGS_CPU_THROTTLED_BIT), /// FIXME: obsolete
//CONSTANT(THREAD_FLAGS_ACCOUNTING_CSWITCH),
//CONSTANT(THREAD_FLAGS_ACCOUNTING_INTERRUPT),
//CONSTANT(THREAD_FLAGS_ACCOUNTING_ANY),
//CONSTANT(THREAD_FLAGS_GROUP_SCHEDULING),
//CONSTANT(THREAD_FLAGS_AFFINITY_SET),
#ifdef _M_IX86
//CONSTANT(THREAD_FLAGS_INSTRUMENTED), // 0x0040
//CONSTANT(THREAD_FLAGS_INSTRUMENTED_PROFILING), // 0x0041
#endif // _M_IX86
 
HEADER("TLS defines"),
CONSTANT(TLS_MINIMUM_AVAILABLE),
CONSTANT(TLS_EXPANSION_SLOTS),
 
HEADER("Thread states"),
CONSTANT(Initialized),
CONSTANT(Ready),
CONSTANT(Running),
CONSTANT(Standby),
CONSTANT(Terminated),
CONSTANT(Waiting),
#ifdef _M_ARM
CONSTANT(Transition),
CONSTANT(DeferredReady),
//CONSTANT(GateWaitObsolete),
#endif // _M_ARM
 
HEADER("Wait type / reason"),
CONSTANT(WrExecutive),
CONSTANT(WrMutex), 
CONSTANT(WrDispatchInt),
CONSTANT(WrQuantumEnd), 
CONSTANT(WrEventPair), 
CONSTANT(WaitAny),
CONSTANT(WaitAll),
 
HEADER("Stack sizes"),
CONSTANT(KERNEL_STACK_SIZE), 
CONSTANT(KERNEL_LARGE_STACK_SIZE),
CONSTANT(KERNEL_LARGE_STACK_COMMIT),
CONSTANT(DOUBLE_FAULT_STACK_SIZE),
#ifdef _M_AMD64
CONSTANT(KERNEL_MCA_EXCEPTION_STACK_SIZE),
CONSTANT(NMI_STACK_SIZE),
CONSTANT(ISR_STACK_SIZE),
#endif
 
//CONSTANT(KTHREAD_AUTO_ALIGNMENT_BIT),
//CONSTANT(KTHREAD_GUI_THREAD_MASK),
//CONSTANT(KTHREAD_SYSTEM_THREAD_BIT),
//CONSTANT(KTHREAD_QUEUE_DEFER_PREEMPTION_BIT),
//CONSTANT(KTHREAD_RESTRICTED_GUI_THREAD_MASK),
//CONSTANT(KTHREAD_BAM_QOS_LEVEL_MASK),
 
HEADER("Miscellaneous Definitions"),
CONSTANT(TRUE),
CONSTANT(FALSE),
CONSTANT(PAGE_SIZE),
CONSTANT(Executive),
//CONSTANT(BASE_PRIORITY_THRESHOLD),
//CONSTANT(EVENT_PAIR_INCREMENT), /// FIXME: obsolete
CONSTANT(LOW_REALTIME_PRIORITY),
CONSTANT(CLOCK_QUANTUM_DECREMENT),
//CONSTANT(READY_SKIP_QUANTUM),
//CONSTANT(THREAD_QUANTUM),
CONSTANT(WAIT_QUANTUM_DECREMENT),
//CONSTANT(ROUND_TRIP_DECREMENT_COUNT),
CONSTANT(MAXIMUM_PROCESSORS),
CONSTANT(INITIAL_STALL_COUNT),
//CONSTANT(EXCEPTION_EXECUTE_FAULT), // amd64
//CONSTANT(KCACHE_ERRATA_MONITOR_FLAGS), // not arm
//CONSTANT(KI_DPC_ALL_FLAGS),
//CONSTANT(KI_DPC_ANY_DPC_ACTIVE),
//CONSTANT(KI_DPC_INTERRUPT_FLAGS), // 0x2f arm and x64
//CONSTANT(KI_EXCEPTION_GP_FAULT), // not i386
//CONSTANT(KI_EXCEPTION_INVALID_OP), // not i386
//CONSTANT(KI_EXCEPTION_INTEGER_DIVIDE_BY_ZERO), // amd64
CONSTANT(KI_EXCEPTION_ACCESS_VIOLATION),
//CONSTANT(KI_EXCEPTION_SECURE_FAULT),
//CONSTANT(KI_EXCEPTION_SEGMENT_NOT_PRESENT),
//CONSTANT(KINTERRUPT_STATE_DISABLED_BIT),
//CONSTANT(KINTERRUPT_STATE_DISABLED),
//CONSTANT(TARGET_FREEZE), // amd64
//CONSTANT(BlackHole), // FIXME: obsolete
CONSTANT(DBG_STATUS_CONTROL_C),
//CONSTANTPTR(USER_SHARED_DATA), // FIXME: we need the kernel mode address here!
//CONSTANT(MM_SHARED_USER_DATA_VA),
//CONSTANT(KERNEL_STACK_CONTROL_LARGE_STACK), // FIXME: obsolete
//CONSTANT(DISPATCH_LENGTH), // FIXME: obsolete
//CONSTANT(KI_SLIST_FAULT_COUNT_MAXIMUM), // i386
//CONSTANTUSER_CALLBACK_FILTER),
 
#if !defined(_M_ARM) && !defined(_M_ARM64)
CONSTANT(MAXIMUM_IDTVECTOR),
//CONSTANT(MAXIMUM_PRIMARY_VECTOR),
CONSTANT(PRIMARY_VECTOR_BASE),
CONSTANT(RPL_MASK),
CONSTANT(MODE_MASK),
//MODE_BIT equ 00000H amd64
//LDT_MASK equ 00004H amd64
#endif
 
 
/* STRUCTURE OFFSETS *********************************************************/
 
//HEADER("KAFFINITY_EX"),
//OFFSET(AfCount, KAFFINITY_EX, Count),
//OFFSET(AfBitmap, KAFFINITY_EX, Bitmap),
//SIZE(AffinityExLength, KAFFINITY_EX),
 
//HEADER("Aligned Affinity"),
//OFFSET(AfsCpuSet, ???, CpuSet), // FIXME: obsolete
 
HEADER("KAPC"),
OFFSET(ApType, KAPC, Type),
OFFSET(ApSize, KAPC, Size),
OFFSET(ApThread, KAPC, Thread),
OFFSET(ApApcListEntry, KAPC, ApcListEntry),
OFFSET(ApKernelRoutine, KAPC, KernelRoutine),
OFFSET(ApRundownRoutine, KAPC, RundownRoutine),
OFFSET(ApNormalRoutine, KAPC, NormalRoutine),
OFFSET(ApNormalContext, KAPC, NormalContext),
OFFSET(ApSystemArgument1, KAPC, SystemArgument1),
OFFSET(ApSystemArgument2, KAPC, SystemArgument2),
OFFSET(ApApcStateIndex, KAPC, ApcStateIndex),
OFFSET(ApApcMode, KAPC, ApcMode),
OFFSET(ApInserted, KAPC, Inserted),
SIZE(ApcObjectLength, KAPC),
 
HEADER("KAPC offsets (relative to NormalRoutine)"),
RELOFFSET(ArNormalRoutine, KAPC, NormalRoutine, NormalRoutine),
RELOFFSET(ArNormalContext, KAPC, NormalContext, NormalRoutine),
RELOFFSET(ArSystemArgument1, KAPC, SystemArgument1, NormalRoutine),
RELOFFSET(ArSystemArgument2, KAPC, SystemArgument2, NormalRoutine),
CONSTANTX(ApcRecordLength, 4 * sizeof(PVOID)),
 
HEADER("KAPC_STATE"),
OFFSET(AsApcListHead, KAPC_STATE, ApcListHead),
OFFSET(AsProcess, KAPC_STATE, Process),
OFFSET(AsKernelApcInProgress, KAPC_STATE, KernelApcInProgress), // FIXME: obsolete
OFFSET(AsKernelApcPending, KAPC_STATE, KernelApcPending),
OFFSET(AsUserApcPending, KAPC_STATE, UserApcPending),
 
HEADER("CLIENT_ID"),
OFFSET(CidUniqueProcess, CLIENT_ID, UniqueProcess),
OFFSET(CidUniqueThread, CLIENT_ID, UniqueThread),
 
HEADER("RTL_CRITICAL_SECTION"), // No longer in Win 10 amd64
OFFSET(CsDebugInfo, RTL_CRITICAL_SECTION, DebugInfo),
OFFSET(CsLockCount, RTL_CRITICAL_SECTION, LockCount),
OFFSET(CsRecursionCount, RTL_CRITICAL_SECTION, RecursionCount),
OFFSET(CsOwningThread, RTL_CRITICAL_SECTION, OwningThread),
OFFSET(CsLockSemaphore, RTL_CRITICAL_SECTION, LockSemaphore),
OFFSET(CsSpinCount, RTL_CRITICAL_SECTION, SpinCount),
 
HEADER("RTL_CRITICAL_SECTION_DEBUG"), // No longer in Win 10 amd64
OFFSET(CsType, RTL_CRITICAL_SECTION_DEBUG, Type),
OFFSET(CsCreatorBackTraceIndex, RTL_CRITICAL_SECTION_DEBUG, CreatorBackTraceIndex),
OFFSET(CsCriticalSection, RTL_CRITICAL_SECTION_DEBUG, CriticalSection),
OFFSET(CsProcessLocksList, RTL_CRITICAL_SECTION_DEBUG, ProcessLocksList),
OFFSET(CsEntryCount, RTL_CRITICAL_SECTION_DEBUG, EntryCount),
OFFSET(CsContentionCount, RTL_CRITICAL_SECTION_DEBUG, ContentionCount),
 
HEADER("KDEVICE_QUEUE_ENTRY"),
OFFSET(DeDeviceListEntry, KDEVICE_QUEUE_ENTRY, DeviceListEntry),
OFFSET(DeSortKey, KDEVICE_QUEUE_ENTRY, SortKey),
OFFSET(DeInserted, KDEVICE_QUEUE_ENTRY, Inserted),
SIZE(DeviceQueueEntryLength, KDEVICE_QUEUE_ENTRY),
 
HEADER("KDPC"),
OFFSET(DpType, KDPC, Type),
OFFSET(DpImportance, KDPC, Importance),
OFFSET(DpNumber, KDPC, Number),
OFFSET(DpDpcListEntry, KDPC, DpcListEntry),
OFFSET(DpDeferredRoutine, KDPC, DeferredRoutine),
OFFSET(DpDeferredContext, KDPC, DeferredContext),
OFFSET(DpSystemArgument1, KDPC, SystemArgument1),
OFFSET(DpSystemArgument2, KDPC, SystemArgument2),
OFFSET(DpDpcData, KDPC, DpcData),
SIZE(DpcObjectLength, KDPC),
 
HEADER("KDEVICE_QUEUE"),
OFFSET(DvType, KDEVICE_QUEUE, Type),
OFFSET(DvSize, KDEVICE_QUEUE, Size),
OFFSET(DvDeviceListHead, KDEVICE_QUEUE, DeviceListHead),
OFFSET(DvSpinLock, KDEVICE_QUEUE, Lock),
OFFSET(DvBusy, KDEVICE_QUEUE, Busy),
SIZE(DeviceQueueObjectLength, KDEVICE_QUEUE),
 
HEADER("EXCEPTION_RECORD"),
OFFSET(ErExceptionCode, EXCEPTION_RECORD, ExceptionCode),
OFFSET(ErExceptionFlags, EXCEPTION_RECORD, ExceptionFlags),
OFFSET(ErExceptionRecord, EXCEPTION_RECORD, ExceptionRecord),
OFFSET(ErExceptionAddress, EXCEPTION_RECORD, ExceptionAddress),
OFFSET(ErNumberParameters, EXCEPTION_RECORD, NumberParameters),
OFFSET(ErExceptionInformation, EXCEPTION_RECORD, ExceptionInformation),
SIZE(ExceptionRecordLength, EXCEPTION_RECORD),
SIZE(EXCEPTION_RECORD_LENGTH, EXCEPTION_RECORD), // not 1386
 
HEADER("EPROCESS"),
OFFSET(EpDebugPort, EPROCESS, DebugPort),
#if defined(_M_IX86)
OFFSET(EpVdmObjects, EPROCESS, VdmObjects),
#elif defined(_M_AMD64)
OFFSET(EpWow64Process, EPROCESS, Wow64Process),
#endif
SIZE(ExecutiveProcessObjectLength, EPROCESS),
 
HEADER("ETHREAD offsets"),
OFFSET(EtCid, ETHREAD, Cid), // 0x364
//OFFSET(EtPicoContext, ETHREAD, PicoContext),
SIZE(ExecutiveThreadObjectLength, ETHREAD), // 0x418
 
HEADER("KEVENT"),
OFFSET(EvType, KEVENT, Header.Type),
OFFSET(EvSize, KEVENT, Header.Size),
OFFSET(EvSignalState, KEVENT, Header.SignalState),
OFFSET(EvWaitListHead, KEVENT, Header.WaitListHead),
SIZE(EventObjectLength, KEVENT),
 
HEADER("FIBER"),
OFFSET(FbFiberData, FIBER, FiberData),
OFFSET(FbExceptionList, FIBER, ExceptionList),
OFFSET(FbStackBase, FIBER, StackBase),
OFFSET(FbStackLimit, FIBER, StackLimit),
OFFSET(FbDeallocationStack, FIBER, DeallocationStack),
OFFSET(FbFiberContext, FIBER, FiberContext),
//OFFSET(FbWx86Tib, FIBER, Wx86Tib),
//OFFSET(FbActivationContextStackPointer, FIBER, ActivationContextStackPointer),
OFFSET(FbFlsData, FIBER, FlsData),
OFFSET(FbGuaranteedStackBytes, FIBER, GuaranteedStackBytes),
//OFFSET(FbTebFlags, FIBER, TebFlags),
 
HEADER("FAST_MUTEX"),
OFFSET(FmCount, FAST_MUTEX, Count),
OFFSET(FmOwner, FAST_MUTEX, Owner),
OFFSET(FmContention, FAST_MUTEX, Contention),
//OFFSET(FmGate, FAST_MUTEX, Gate), // obsolete
OFFSET(FmOldIrql, FAST_MUTEX, OldIrql),
 
#ifndef _M_ARM
HEADER("GETSETCONTEXT offsets"), // GET_SET_CTX_CONTEXT
OFFSET(GetSetCtxContextPtr, GETSETCONTEXT, Context),
#endif // _M_ARM
 
HEADER("KINTERRUPT"),
OFFSET(InType, KINTERRUPT, Type),
OFFSET(InSize, KINTERRUPT, Size),
OFFSET(InInterruptListEntry, KINTERRUPT, InterruptListEntry),
OFFSET(InServiceRoutine, KINTERRUPT, ServiceRoutine),
OFFSET(InServiceContext, KINTERRUPT, ServiceContext),
OFFSET(InSpinLock, KINTERRUPT, SpinLock),
OFFSET(InTickCount, KINTERRUPT, TickCount),
OFFSET(InActualLock, KINTERRUPT, ActualLock),
OFFSET(InDispatchAddress, KINTERRUPT, DispatchAddress),
OFFSET(InVector, KINTERRUPT, Vector),
OFFSET(InIrql, KINTERRUPT, Irql),
OFFSET(InSynchronizeIrql, KINTERRUPT, SynchronizeIrql),
OFFSET(InFloatingSave, KINTERRUPT, FloatingSave),
OFFSET(InConnected, KINTERRUPT, Connected),
OFFSET(InNumber, KINTERRUPT, Number),
OFFSET(InShareVector, KINTERRUPT, ShareVector),
//OFFSET(InInternalState, KINTERRUPT, InternalState),
OFFSET(InMode, KINTERRUPT, Mode),
OFFSET(InServiceCount, KINTERRUPT, ServiceCount),
OFFSET(InDispatchCount, KINTERRUPT, DispatchCount),
//OFFSET(InTrapFrame, KINTERRUPT, TrapFrame), // amd64
OFFSET(InDispatchCode, KINTERRUPT, DispatchCode), // obsolete
SIZE(InterruptObjectLength, KINTERRUPT),
 
#ifdef _M_AMD64
HEADER("IO_STATUS_BLOCK"),
OFFSET(IoStatus, IO_STATUS_BLOCK, Status),
OFFSET(IoPointer, IO_STATUS_BLOCK, Pointer),
OFFSET(IoInformation, IO_STATUS_BLOCK, Information),
#endif /* _M_AMD64 */
 
#if (NTDDI_VERSION >= NTDDI_WIN8)
HEADER("KSTACK_CONTROL"),
OFFSET(KcCurrentBase, KSTACK_CONTROL, StackBase),
OFFSET(KcActualLimit, KSTACK_CONTROL, ActualLimit),
OFFSET(KcPreviousBase, KSTACK_CONTROL, Previous.StackBase),
OFFSET(KcPreviousLimit, KSTACK_CONTROL, Previous.StackLimit),
OFFSET(KcPreviousKernel, KSTACK_CONTROL, Previous.KernelStack),
OFFSET(KcPreviousInitial, KSTACK_CONTROL, Previous.InitialStack),
#ifdef _IX86
OFFSET(KcTrapFrame, KSTACK_CONTROL, PreviousTrapFrame),
OFFSET(KcExceptionList, KSTACK_CONTROL, PreviousExceptionList),
#endif // _IX86
SIZE(KSTACK_CONTROL_LENGTH, KSTACK_CONTROL),
CONSTANT(KSTACK_ACTUAL_LIMIT_EXPANDED), // move somewhere else?
#else
//HEADER("KERNEL_STACK_CONTROL"), // obsolete
#endif
 
#if 0 // no longer in win 10, different struct
HEADER("KNODE"),
//OFFSET(KnRight, KNODE, Right),
//OFFSET(KnLeft, KNODE, Left),
OFFSET(KnPfnDereferenceSListHead, KNODE, PfnDereferenceSListHead),
OFFSET(KnProcessorMask, KNODE, ProcessorMask),
OFFSET(KnColor, KNODE, Color),
OFFSET(KnSeed, KNODE, Seed),
OFFSET(KnNodeNumber, KNODE, NodeNumber),
OFFSET(KnFlags, KNODE, Flags),
OFFSET(KnMmShiftedColor, KNODE, MmShiftedColor),
OFFSET(KnFreeCount, KNODE, FreeCount),
OFFSET(KnPfnDeferredList, KNODE, PfnDeferredList),
SIZE(KNODE_SIZE, KNODE),
#endif
 
HEADER("KSPIN_LOCK_QUEUE"),
OFFSET(LqNext, KSPIN_LOCK_QUEUE, Next),
OFFSET(LqLock, KSPIN_LOCK_QUEUE, Lock),
SIZE(LOCK_QUEUE_HEADER_SIZE, KSPIN_LOCK_QUEUE),
 
HEADER("KLOCK_QUEUE_HANDLE"),
OFFSET(LqhLockQueue, KLOCK_QUEUE_HANDLE, LockQueue),
OFFSET(LqhNext, KLOCK_QUEUE_HANDLE, LockQueue.Next),
OFFSET(LqhLock, KLOCK_QUEUE_HANDLE, LockQueue.Lock),
OFFSET(LqhOldIrql, KLOCK_QUEUE_HANDLE, OldIrql),
 
HEADER("LARGE_INTEGER"),
OFFSET(LiLowPart, LARGE_INTEGER, LowPart),
OFFSET(LiHighPart, LARGE_INTEGER, HighPart),
 
HEADER("LOADER_PARAMETER_BLOCK (rel. to LoadOrderListHead)"),
RELOFFSET(LpbKernelStack, LOADER_PARAMETER_BLOCK, KernelStack, LoadOrderListHead),
RELOFFSET(LpbPrcb, LOADER_PARAMETER_BLOCK, Prcb, LoadOrderListHead),
RELOFFSET(LpbProcess, LOADER_PARAMETER_BLOCK, Process, LoadOrderListHead),
RELOFFSET(LpbThread, LOADER_PARAMETER_BLOCK, Thread, LoadOrderListHead),
 
HEADER("LIST_ENTRY"),
OFFSET(LsFlink, LIST_ENTRY, Flink),
OFFSET(LsBlink, LIST_ENTRY, Blink),
 
HEADER("PEB"),
OFFSET(PeBeingDebugged, PEB, BeingDebugged),
OFFSET(PeProcessParameters, PEB, ProcessParameters),
OFFSET(PeKernelCallbackTable, PEB, KernelCallbackTable),
SIZE(ProcessEnvironmentBlockLength, PEB),
 
HEADER("KPROFILE"),
OFFSET(PfType, KPROFILE, Type),
OFFSET(PfSize, KPROFILE, Size),
OFFSET(PfProfileListEntry, KPROFILE, ProfileListEntry),
OFFSET(PfProcess, KPROFILE, Process),
OFFSET(PfRangeBase, KPROFILE, RangeBase),
OFFSET(PfRangeLimit, KPROFILE, RangeLimit),
OFFSET(PfBucketShift, KPROFILE, BucketShift),
OFFSET(PfBuffer, KPROFILE, Buffer),
OFFSET(PfSegment, KPROFILE, Segment),
OFFSET(PfAffinity, KPROFILE, Affinity),
OFFSET(PfSource, KPROFILE, Source),
OFFSET(PfStarted, KPROFILE, Started),
SIZE(ProfileObjectLength, KPROFILE),
 
HEADER("PORT_MESSAGE"), // whole thing obsolete in win10
OFFSET(PmLength, PORT_MESSAGE, u1.Length),
OFFSET(PmZeroInit, PORT_MESSAGE, u2.ZeroInit),
OFFSET(PmClientId, PORT_MESSAGE, ClientId),
OFFSET(PmProcess, PORT_MESSAGE, ClientId.UniqueProcess),
OFFSET(PmThread, PORT_MESSAGE, ClientId.UniqueThread),
OFFSET(PmMessageId, PORT_MESSAGE, MessageId),
OFFSET(PmClientViewSize, PORT_MESSAGE, ClientViewSize),
SIZE(PortMessageLength, PORT_MESSAGE),
 
HEADER("KPROCESS"),
OFFSET(PrType, KPROCESS, Header.Type),
OFFSET(PrSize, KPROCESS, Header.Size),
OFFSET(PrSignalState, KPROCESS, Header.SignalState),
OFFSET(PrProfileListHead, KPROCESS, ProfileListHead),
OFFSET(PrDirectoryTableBase, KPROCESS, DirectoryTableBase),
#ifdef _M_ARM
//OFFSET(PrPageDirectory, KPROCESS, PageDirectory),
#elif defined(_M_IX86)
OFFSET(PrLdtDescriptor, KPROCESS, LdtDescriptor),
OFFSET(PrInt21Descriptor, KPROCESS, Int21Descriptor),
#endif
OFFSET(PrThreadListHead, KPROCESS, ThreadListHead),
OFFSET(PrAffinity, KPROCESS, Affinity),
OFFSET(PrReadyListHead, KPROCESS, ReadyListHead),
OFFSET(PrSwapListEntry, KPROCESS, SwapListEntry),
OFFSET(PrActiveProcessors, KPROCESS, ActiveProcessors),
OFFSET(PrProcessFlags, KPROCESS, ProcessFlags),
OFFSET(PrBasePriority, KPROCESS, BasePriority),
OFFSET(PrQuantumReset, KPROCESS, QuantumReset),
#if defined(_M_IX86)
OFFSET(PrIopmOffset, KPROCESS, IopmOffset),
#endif
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
OFFSET(PrCycleTime, KPROCESS, CycleTime),
#endif
OFFSET(PrKernelTime, KPROCESS, KernelTime),
OFFSET(PrUserTime, KPROCESS, UserTime),
#if defined(_M_AMD64) || defined(_M_ARM)
//OFFSET(PrInstrumentationCallback, KPROCESS, InstrumentationCallback),
#elif defined(_M_IX86)
OFFSET(PrVdmTrapcHandler, KPROCESS, VdmTrapcHandler),
//OFFSET(PrVdmObjects, KPROCESS, VdmObjects),
OFFSET(PrFlags, KPROCESS, Flags),
#endif
SIZE(KernelProcessObjectLength, KPROCESS),
 
HEADER("KQUEUE"),
OFFSET(QuType, KQUEUE, Header.Type), // not in win10
OFFSET(QuSize, KQUEUE, Header.Size), // not in win10
OFFSET(QuSignalState, KQUEUE, Header.SignalState),
OFFSET(QuEntryListHead, KQUEUE, EntryListHead),
OFFSET(QuCurrentCount, KQUEUE, CurrentCount),
OFFSET(QuMaximumCount, KQUEUE, MaximumCount),
OFFSET(QuThreadListHead, KQUEUE, ThreadListHead),
SIZE(QueueObjectLength, KQUEUE),
 
HEADER("KSERVICE_TABLE_DESCRIPTOR offsets"),
OFFSET(SdBase, KSERVICE_TABLE_DESCRIPTOR, Base),
OFFSET(SdCount, KSERVICE_TABLE_DESCRIPTOR, Count), // not in win10
OFFSET(SdLimit, KSERVICE_TABLE_DESCRIPTOR, Limit),
OFFSET(SdNumber, KSERVICE_TABLE_DESCRIPTOR, Number),
SIZE(SdLength, KSERVICE_TABLE_DESCRIPTOR),
 
HEADER("STRING"),
OFFSET(StrLength, STRING, Length),
OFFSET(StrMaximumLength, STRING, MaximumLength),
OFFSET(StrBuffer, STRING, Buffer),
 
HEADER("TEB"),
#if defined(_M_IX86)
OFFSET(TeExceptionList, TEB, NtTib.ExceptionList),
#elif defined(_M_AMD64)
OFFSET(TeCmTeb, TEB, NtTib),
#endif
OFFSET(TeStackBase, TEB, NtTib.StackBase),
OFFSET(TeStackLimit, TEB, NtTib.StackLimit),
OFFSET(TeFiberData, TEB, NtTib.FiberData),
OFFSET(TeSelf, TEB, NtTib.Self),
OFFSET(TeEnvironmentPointer, TEB, EnvironmentPointer),
OFFSET(TeClientId, TEB, ClientId),
OFFSET(TeActiveRpcHandle, TEB, ActiveRpcHandle),
OFFSET(TeThreadLocalStoragePointer, TEB, ThreadLocalStoragePointer),
OFFSET(TePeb, TEB, ProcessEnvironmentBlock),
OFFSET(TeLastErrorValue, TEB, LastErrorValue),
OFFSET(TeCountOfOwnedCriticalSections, TEB, CountOfOwnedCriticalSections),
OFFSET(TeCsrClientThread, TEB, CsrClientThread),
OFFSET(TeWOW32Reserved, TEB, WOW32Reserved),
//OFFSET(TeSoftFpcr, TEB, SoftFpcr),
OFFSET(TeExceptionCode, TEB, ExceptionCode),
OFFSET(TeActivationContextStackPointer, TEB, ActivationContextStackPointer),
//#if (NTDDI_VERSION >= NTDDI_WIN10)
//OFFSET(TeInstrumentationCallbackSp, TEB, InstrumentationCallbackSp),
//OFFSET(TeInstrumentationCallbackPreviousPc, TEB, InstrumentationCallbackPreviousPc),
//OFFSET(TeInstrumentationCallbackPreviousSp, TEB, InstrumentationCallbackPreviousSp),
//#endif
OFFSET(TeGdiClientPID, TEB, GdiClientPID),
OFFSET(TeGdiClientTID, TEB, GdiClientTID),
OFFSET(TeGdiThreadLocalInfo, TEB, GdiThreadLocalInfo),
OFFSET(TeglDispatchTable, TEB, glDispatchTable),
OFFSET(TeglReserved1, TEB, glReserved1),
OFFSET(TeglReserved2, TEB, glReserved2),
OFFSET(TeglSectionInfo, TEB, glSectionInfo),
OFFSET(TeglSection, TEB, glSection),
OFFSET(TeglTable, TEB, glTable),
OFFSET(TeglCurrentRC, TEB, glCurrentRC),
OFFSET(TeglContext, TEB, glContext),
OFFSET(TeDeallocationStack, TEB, DeallocationStack),
OFFSET(TeTlsSlots, TEB, TlsSlots),
OFFSET(TeVdm, TEB, Vdm),
OFFSET(TeInstrumentation, TEB, Instrumentation),
OFFSET(TeGdiBatchCount, TEB, GdiBatchCount),
OFFSET(TeGuaranteedStackBytes, TEB, GuaranteedStackBytes),
OFFSET(TeTlsExpansionSlots, TEB, TlsExpansionSlots),
OFFSET(TeFlsData, TEB, FlsData),
SIZE(ThreadEnvironmentBlockLength, TEB),
 
HEADER("TIME_FIELDS"),
OFFSET(TfYear, TIME_FIELDS, Year),
OFFSET(TfMonth, TIME_FIELDS, Month),
OFFSET(TfDay, TIME_FIELDS, Day),
OFFSET(TfHour, TIME_FIELDS, Hour),
OFFSET(TfMinute, TIME_FIELDS, Minute),
OFFSET(TfSecond, TIME_FIELDS, Second),
OFFSET(TfMilliseconds, TIME_FIELDS, Milliseconds),
OFFSET(TfWeekday, TIME_FIELDS, Weekday),
 
HEADER("KTHREAD"),
OFFSET(ThType, KTHREAD, Header.Type),
OFFSET(ThLock, KTHREAD, Header.Lock),
OFFSET(ThSize, KTHREAD, Header.Size),
OFFSET(ThThreadControlFlags, KTHREAD, Header.ThreadControlFlags),
OFFSET(ThDebugActive, KTHREAD, Header.DebugActive),
OFFSET(ThSignalState, KTHREAD, Header.SignalState),
OFFSET(ThInitialStack, KTHREAD, InitialStack),
OFFSET(ThStackLimit, KTHREAD, StackLimit),
OFFSET(ThStackBase, KTHREAD, StackBase),
OFFSET(ThThreadLock, KTHREAD, ThreadLock),
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
OFFSET(ThCycleTime, KTHREAD, CycleTime),
#if defined(_M_IX86)
OFFSET(ThHighCycleTime, KTHREAD, HighCycleTime),
#endif
#endif /* (NTDDI_VERSION >= NTDDI_LONGHORN) */
#if defined(_M_IX86)
OFFSET(ThServiceTable, KTHREAD, ServiceTable),
#endif
//OFFSET(ThCurrentRunTime, KTHREAD, CurrentRunTime),
//OFFSET(ThStateSaveArea, KTHREAD, StateSaveArea), // 0x3C not arm
OFFSET(ThKernelStack, KTHREAD, KernelStack),
#if (NTDDI_VERSION >= NTDDI_WIN7)
OFFSET(ThRunning, KTHREAD, Running),
#endif /* (NTDDI_VERSION >= NTDDI_WIN7) */
OFFSET(ThAlerted, KTHREAD, Alerted),
#if (NTDDI_VERSION >= NTDDI_WIN7)
OFFSET(ThMiscFlags, KTHREAD, MiscFlags),
#endif /* (NTDDI_VERSION >= NTDDI_WIN7) */
OFFSET(ThThreadFlags, KTHREAD, ThreadFlags),
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
OFFSET(ThSystemCallNumber, KTHREAD, SystemCallNumber),
#endif /* (NTDDI_VERSION >= NTDDI_LONGHORN) */
//OFFSET(ThFirstArgument, KTHREAD, FirstArgument),
OFFSET(ThTrapFrame, KTHREAD, TrapFrame),
OFFSET(ThApcState, KTHREAD, ApcState),
OFFSET(ThPriority, KTHREAD, Priority), // obsolete
OFFSET(ThSwapBusy, KTHREAD, SwapBusy),
OFFSET(ThContextSwitches, KTHREAD, ContextSwitches),
OFFSET(ThState, KTHREAD, State),
OFFSET(ThProcess, KTHREAD, Process), // thProcess in native headers
OFFSET(ThNpxState, KTHREAD, NpxState),
OFFSET(ThWaitIrql, KTHREAD, WaitIrql),
OFFSET(ThWaitMode, KTHREAD, WaitMode), // obsolete
OFFSET(ThTeb, KTHREAD, Teb),
OFFSET(ThTimer, KTHREAD, Timer),
OFFSET(ThWin32Thread, KTHREAD, Win32Thread),
OFFSET(ThWaitTime, KTHREAD, WaitTime),
OFFSET(ThCombinedApcDisable, KTHREAD, CombinedApcDisable),
OFFSET(ThKernelApcDisable, KTHREAD, KernelApcDisable),
OFFSET(ThSpecialApcDisable, KTHREAD, SpecialApcDisable),
#if defined(_M_ARM)
//OFFSET(ThVfpState, KTHREAD, VfpState),
#endif
OFFSET(ThNextProcessor, KTHREAD, NextProcessor),
//OFFSET(ThProcess, KTHREAD, Process),
OFFSET(ThPreviousMode, KTHREAD, PreviousMode),
OFFSET(ThPriorityDecrement, KTHREAD, PriorityDecrement), // obsolete
OFFSET(ThAdjustReason, KTHREAD, AdjustReason),
OFFSET(ThAdjustIncrement, KTHREAD, AdjustIncrement),
OFFSET(ThAffinity, KTHREAD, Affinity), // obsolete
OFFSET(ThApcStateIndex, KTHREAD, ApcStateIndex),
OFFSET(ThIdealProcessor, KTHREAD, IdealProcessor), // obsolete
OFFSET(ThApcStatePointer, KTHREAD, ApcStatePointer), // obsolete
OFFSET(ThSavedApcState, KTHREAD, SavedApcState), // obsolete
OFFSET(ThWaitReason, KTHREAD, WaitReason),
OFFSET(ThSaturation, KTHREAD, Saturation), // obsolete
OFFSET(ThLegoData, KTHREAD, LegoData),
//#if defined(_M_ARM) && (NTDDI_VERSION >= NTDDI_WIN10)
//OFFSET(ThUserRoBase, KTHREAD, UserRoBase),
//OFFSET(ThUserRwBase, KTHREAD, UserRwBase),
//#endif
#ifdef _M_IX86
//OFFSET(ThSListFaultCount, KTHREAD, SListFaultCount), // 0x18E
//OFFSET(ThSListFaultAddress, KTHREAD, ListFaultAddress), // 0x10
#endif // _M_IX86
#if defined(_M_IX86) || defined(_M_AMD64)
//OFFSET(ThUserFsBase, KTHREAD, UserFsBase), // 0x434
//OFFSET(ThUserGsBase, KTHREAD, GsBase), // 0x438
#endif // defined
SIZE(KernelThreadObjectLength, KTHREAD),
 
HEADER("ETHREAD"),
//OFFSET(ThSetContextState, ETHREAD, SetContextState),
 
HEADER("KTIMER"),
OFFSET(TiType, KTIMER, Header.Type),
OFFSET(TiSize, KTIMER, Header.Size),
#if (NTDDI_VERSION < NTDDI_WIN7)
OFFSET(TiInserted, KTIMER, Header.Inserted),
#endif
OFFSET(TiSignalState, KTIMER, Header.SignalState),
OFFSET(TiDueTime, KTIMER, DueTime),
OFFSET(TiTimerListEntry, KTIMER, TimerListEntry),
OFFSET(TiDpc, KTIMER, Dpc),
OFFSET(TiPeriod, KTIMER, Period),
SIZE(TimerObjectLength, KTIMER),
 
HEADER("TIME"),
OFFSET(TmLowTime, TIME, LowTime),
OFFSET(TmHighTime, TIME, HighTime),
 
HEADER("SYSTEM_CONTEXT_SWITCH_INFORMATION (relative to FindAny)"),
RELOFFSET(TwFindAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindAny, FindAny),
RELOFFSET(TwFindIdeal, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindIdeal, FindAny),
RELOFFSET(TwFindLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, FindLast, FindAny),
RELOFFSET(TwIdleAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleAny, FindAny),
RELOFFSET(TwIdleCurrent, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleCurrent, FindAny),
RELOFFSET(TwIdleIdeal, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleIdeal, FindAny),
RELOFFSET(TwIdleLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, IdleLast, FindAny),
RELOFFSET(TwPreemptAny, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptAny, FindAny),
RELOFFSET(TwPreemptCurrent, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptCurrent, FindAny),
RELOFFSET(TwPreemptLast, SYSTEM_CONTEXT_SWITCH_INFORMATION, PreemptLast, FindAny),
RELOFFSET(TwSwitchToIdle, SYSTEM_CONTEXT_SWITCH_INFORMATION, SwitchToIdle, FindAny),
 
HEADER("KUSER_SHARED_DATA"),
OFFSET(UsTickCountMultiplier, KUSER_SHARED_DATA, TickCountMultiplier), // 0x4
OFFSET(UsInterruptTime, KUSER_SHARED_DATA, InterruptTime), // 0x8
OFFSET(UsSystemTime, KUSER_SHARED_DATA, SystemTime), // 0x14
OFFSET(UsTimeZoneBias, KUSER_SHARED_DATA, TimeZoneBias), // 0x20
OFFSET(UsImageNumberLow, KUSER_SHARED_DATA, ImageNumberLow),
OFFSET(UsImageNumberHigh, KUSER_SHARED_DATA, ImageNumberHigh),
OFFSET(UsNtSystemRoot, KUSER_SHARED_DATA, NtSystemRoot),
OFFSET(UsMaxStackTraceDepth, KUSER_SHARED_DATA, MaxStackTraceDepth),
OFFSET(UsCryptoExponent, KUSER_SHARED_DATA, CryptoExponent),
OFFSET(UsTimeZoneId, KUSER_SHARED_DATA, TimeZoneId),
OFFSET(UsLargePageMinimum, KUSER_SHARED_DATA, LargePageMinimum),
//#if (NTDDI_VERSION >= NTDDI_WIN10)
//OFFSET(UsNtBuildNumber, KUSER_SHARED_DATA, NtBuildNumber),
//#else
OFFSET(UsReserved2, KUSER_SHARED_DATA, Reserved2),
//#endif
OFFSET(UsNtProductType, KUSER_SHARED_DATA, NtProductType),
OFFSET(UsProductTypeIsValid, KUSER_SHARED_DATA, ProductTypeIsValid),
OFFSET(UsNtMajorVersion, KUSER_SHARED_DATA, NtMajorVersion),
OFFSET(UsNtMinorVersion, KUSER_SHARED_DATA, NtMinorVersion),
OFFSET(UsProcessorFeatures, KUSER_SHARED_DATA, ProcessorFeatures),
OFFSET(UsReserved1, KUSER_SHARED_DATA, Reserved1),
OFFSET(UsReserved3, KUSER_SHARED_DATA, Reserved3),
OFFSET(UsTimeSlip, KUSER_SHARED_DATA, TimeSlip),
OFFSET(UsAlternativeArchitecture, KUSER_SHARED_DATA, AlternativeArchitecture),
OFFSET(UsSystemExpirationDate, KUSER_SHARED_DATA, SystemExpirationDate), // not arm
OFFSET(UsSuiteMask, KUSER_SHARED_DATA, SuiteMask),
OFFSET(UsKdDebuggerEnabled, KUSER_SHARED_DATA, KdDebuggerEnabled),
OFFSET(UsActiveConsoleId, KUSER_SHARED_DATA, ActiveConsoleId),
OFFSET(UsDismountCount, KUSER_SHARED_DATA, DismountCount),
OFFSET(UsComPlusPackage, KUSER_SHARED_DATA, ComPlusPackage),
OFFSET(UsLastSystemRITEventTickCount, KUSER_SHARED_DATA, LastSystemRITEventTickCount),
OFFSET(UsNumberOfPhysicalPages, KUSER_SHARED_DATA, NumberOfPhysicalPages),
OFFSET(UsSafeBootMode, KUSER_SHARED_DATA, SafeBootMode),
OFFSET(UsTestRetInstruction, KUSER_SHARED_DATA, TestRetInstruction),
OFFSET(UsSystemCall, KUSER_SHARED_DATA, SystemCall), // not in win10
OFFSET(UsSystemCallReturn, KUSER_SHARED_DATA, SystemCallReturn), // not in win10
OFFSET(UsSystemCallPad, KUSER_SHARED_DATA, SystemCallPad),
OFFSET(UsTickCount, KUSER_SHARED_DATA, TickCount),
OFFSET(UsTickCountQuad, KUSER_SHARED_DATA, TickCountQuad),
OFFSET(UsWow64SharedInformation, KUSER_SHARED_DATA, Wow64SharedInformation), // not in win10
//OFFSET(UsXState, KUSER_SHARED_DATA, XState), // win 10
 
HEADER("KWAIT_BLOCK offsets"),
OFFSET(WbWaitListEntry, KWAIT_BLOCK, WaitListEntry),
OFFSET(WbThread, KWAIT_BLOCK, Thread),
OFFSET(WbObject, KWAIT_BLOCK, Object),
OFFSET(WbNextWaitBlock, KWAIT_BLOCK, NextWaitBlock), // not in win10
OFFSET(WbWaitKey, KWAIT_BLOCK, WaitKey),
OFFSET(WbWaitType, KWAIT_BLOCK, WaitType),
 
#ifdef _M_AMD64
SIZE(KSTART_FRAME_LENGTH, KSTART_FRAME),
#endif
 
#if 0
 
CONSTANT(CFlushSize),
CONSTANT(Win32BatchFlushCallout),
CONSTANT(ServiceCpupReturnFromSimulatedCode),
CONSTANT(X86AMD64_R3_LONG_MODE_CODE),
CONSTANT(USER_CALLBACK_FILTER),
CONSTANT(SYSTEM_CALL_INT_2E),
 
HEADER("Process mitigation option flags"),
CONSTANT(PS_MITIGATION_OPTION_BITS_PER_OPTION),
CONSTANT(PS_MITIGATION_OPTION_ALWAYS_ON),
CONSTANT(PS_MITIGATION_OPTION_ALWAYS_OFF),
CONSTANT(PS_MITIGATION_OPTION_MASK),
CONSTANT(PS_MITIGATION_OPTION_RETURN_FLOW_GUARD),
CONSTANT(PS_MITIGATION_OPTION_RESTRICT_SET_THREAD_CONTEXT),
 
#ifndef _M_ARM
HEADER("Bounds Callback Status Codes"),
CONSTANT(BoundExceptionContinueSearch),
CONSTANT(BoundExceptionHandled),
CONSTANT(BoundExceptionError),
#endif
 
HEADER("PS_SYSTEM_DLL_INIT_BLOCK"),
OFFSET(IbCfgBitMap, PS_SYSTEM_DLL_INIT_BLOCK, CfgBitMap),
OFFSET(IbWow64CfgBitMap, PS_SYSTEM_DLL_INIT_BLOCK, Wow64CfgBitMap),
OFFSET(IbMitigationOptionsMap, PS_SYSTEM_DLL_INIT_BLOCK, MitigationOptionsMap),
 
HEADER("Extended context"),
OFFSET(CxxLegacyOffset 0x8),
OFFSET(CxxLegacyLength 0xc),
OFFSET(CxxXStateOffset 0x10),
OFFSET(CxxXStateLength 0x14),
 
HEADER("Enclave call dispatch frame"),
OFFSET(EcEnclaveNumber, ???, EnclaveNumber),
OFFSET(EcParameterAddress, ???, ParameterAddress),
OFFSET(EcParameterValue, ???, ParameterValue),
OFFSET(EcOriginalReturn, ???, OriginalReturn),
OFFSET(EcFramePointer, ???, FramePointer),
OFFSET(EcReturnAddress, ???, ReturnAddress),
 
#ifndef _M_ARM
HEADER("Enlightenment"),
OFFSET(HeEnlightenments, ???, Enlightenments),
OFFSET(HeHypervisorConnected, ???, HypervisorConnected),
OFFSET(HeEndOfInterrupt, ???, EndOfInterrupt),
OFFSET(HeApicWriteIcr, ???, ApicWriteIcr),
OFFSET(HeSpinCountMask, ???, SpinCountMask),
OFFSET(HeLongSpinWait, ???, LongSpinWait),
#endif
 
HEADER("Processor Descriptor Area"),
OFFSET(PdaGdt, ????, ),
OFFSET(PdaKernelGsBase, ????, ),
 
OFFSET(PpFlags, ????, Flags),
OFFSET(EtwTSLength, ????, ),
OFFSET(CmThreadEnvironmentBlockOffset, ????, ),
OFFSET(PbEntropyCount, ????, ),
OFFSET(PbEntropyBuffer, ????, ),
 
#endif