Memory Hacking Software

Discussions Regarding Memory Hacking Software

Skip to content

MHS & Vista SP1 KB936330

Need Help With an Existing Feature in Memory Hacking Software? Ask Here

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Post a reply

MHS & Vista SP1 KB936330

Postby C0LdlinK » Thu Mar 20, 2008 1:46 am

Starting with thousand Thanks for sharing your software with us L.Spiro.
Thus, yesterday after downloaded & set up service pack 1 on vista, i've noticed with MHS 4.016 i got some troubles to run it correctly on my os, especially with the Data-Type search function ( no result found anywhere ) & Ram Watcher ( N/A comment on each addresses ), so i tried an advanced search with specific adresses and it still doesn't give any result at this time.

After others short tests, i turned off mhs and tried that old Tsearch we all know already about it to work properly ( at least for me ), and same prob, it couldn't find any results.
Donc, i wondered if you have encountered same trouble as me with the SP1 & MHS 4.016 ?

i forgot to mention i used nprotect gameguard rev1142 during a game time yesterday, perhaps a part of GG software or the GG driver's blocked these softs in a particular case but i'm still lookin for a way out with MHS.
Thank you to have took a time to read that.
Voilà, a bientôt ;)
C0LdlinK
I Have A Few Questions
 
Posts: 5
Joined: Wed Mar 19, 2008 8:39 pm
Top

Postby L. Spiro » Thu Mar 20, 2008 9:27 am

The problem is nProtect Game Guard which installs kernel-mode hooks on KeAttachProcess and KeStackAttachProcess to block all normal memory searchers.

My private version of MHS bypasses these hooks but gives blue screens. It will be released when it is stabilized, but I have no means of studying the problem so it will be a long while.


L. Spiro
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top

Postby C0LdlinK » Thu Mar 20, 2008 7:38 pm

ok, thank you for these infos, im trying to remove GG now, i'm using RootkitRevealer, i hope it'll remove completely.
bye, merci L. Spiro. :)

if ever it pass, ill let you know guyz
C0LdlinK
I Have A Few Questions
 
Posts: 5
Joined: Wed Mar 19, 2008 8:39 pm
Top

Postby C0LdlinK » Fri Mar 21, 2008 8:51 pm

well, apparently there's no way to uninstall GG or unhook the kernel mode on these process you quoted , right ?
i've read some infos about this driver "dump_wmimmc.sys" on:

( path C:\WINDOWS\system32\drivers\dump_wmimmc.sys )

http://en.wikipedia.org/wiki/GameGuard :

wiki => Because of its method of actuation (similar to a rootkit), it is criticized for being too invasive. The software installs a device driver and offers no way to uninstall it


i found a path into regedit but i can't remove it ( HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DUMP_WMIMMC ) and not sure about if i should remove it anyway, i'm clearly stuck to run mhs now :/

&

http://www.bleepingcomputer.com/forums/topic131307.html

here's a software to unistall GG but it didn't work truly. ( it just deleted some files, npptnt2.sys and nppt9x.vxd )

& from mpc forum:

http://www.mpcforum.com/showthread.php?t=216658

Game Guard works just like a root kit and is sometimes questioned about how invasive it is to a person computer. It installs a driver to your computer and does not offer you anyway of uninstalling it, even after you delete the client that uses the Game Guard service.


Actually still haven't access to my memory with mhs, if anybody got a solution avoid the fact to reinstall windows, it would be great. :(

a++
C0LdlinK
I Have A Few Questions
 
Posts: 5
Joined: Wed Mar 19, 2008 8:39 pm
Top

Postby L. Spiro » Fri Mar 21, 2008 9:10 pm

You can research nProtect Game Guard’s hooks with the MHS script. Refer to the help file for hook-revealing examples. You can code your own bypasses with the scripts as well using ReadLocalMemory() and WriteLocalMemory() to read/write kernel RAM without attaching to any processes.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top

Postby C0LdlinK » Fri Mar 21, 2008 10:13 pm

well i'd like to code my own bypass or anything else useable for games but i'm a basic mhs user,i can't reach that kind of scripting you mentioned and im not using gg anymore or games affiliate with gg.
I'm just tryin to remove completely gameguard to reuse your software like before if it's possible ?
if its not, well thank you for your time.
Bonne continuation.
C0LdlinK
I Have A Few Questions
 
Posts: 5
Joined: Wed Mar 19, 2008 8:39 pm
Top

Postby L. Spiro » Fri Mar 21, 2008 10:16 pm

What you are experiencing now is the reason I refuse to install nProtect Game Guard.

I do not know how to uninstall it.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top

Postby C0LdlinK » Fri May 23, 2008 5:57 am

re, i'm just passing by and say i kinda resolve the matter on my PC last week after an uninstallation of vista service pack 1, mhs appears to run quite like before the pack's install. ( with mhs 4.017 ).
Therefore apparently there is something in the SP1 which is blocking mhs software. ( block ram watcher, memory search and etc )

I don't know if i am actually alone to got that prob but when i setup sp1, the problem back up and i can't use the software at new, so its clearly vista SP1.

If anyone got an idea about which update in the pack is blocking mhs, just let us know :)

Thank you.
C0LdlinK
I Have A Few Questions
 
Posts: 5
Joined: Wed Mar 19, 2008 8:39 pm
Top

Postby L. Spiro » Fri May 23, 2008 9:58 am

I already know about the issues on Windows® Vista® SP1.

When someone finds and posts a definition of the 6001 build EPROCESS structure I will release an update that works on Windows® Vista® SP1.

Same with Windows® XP® SP3.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top

allrighty

Postby brainz » Thu Jun 19, 2008 7:40 pm

Who do we have to.. erh.. bribe to get a copy of said definition ?
I need MHS under vista sp1 (i know vista sucks).
brainz
I Ask A Lot Of Questions
 
Posts: 12
Joined: Thu Jun 19, 2008 2:21 pm
Top

Postby L. Spiro » Thu Jun 19, 2008 9:47 pm

When I find that person I will be the first to bribe him or her.


L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top

Postby colintso » Fri Jun 20, 2008 10:30 am

L. Spiro wrote:I already know about the issues on Windows® Vista® SP1.

When someone finds and posts a definition of the 6001 build EPROCESS structure I will release an update that works on Windows® Vista® SP1.

Same with Windows® XP® SP3.


L. Spiro


Oh sh*t,
just noticed...errors all around...
(Windows XP SP3)
noobs have to learn, or they will always be noobs
Image
Image
==HACKERZ RULE!==
Request your sig here!
_________________
[url=http://www.flashgamelicense.com/view_game.php?game_id=3502]Comment on my 4th flash game (50% done)
[/url]
User avatar
colintso
Ex-Mack Haster
 
Posts: 796
Joined: Tue Mar 04, 2008 2:16 pm
Location: C:/WINDOWS/system32/zlib.dll
Top

Postby brainz » Sat Jul 19, 2008 8:24 am

damnit, this is taking too long, someone spill the beans or rather the eprocess definition! sucks to do this in a virtual machine ..

edit: eprocess def aint that big .. cant we(you heh) just guesstimate it? how much can they really have changed ? heh
brainz
I Ask A Lot Of Questions
 
Posts: 12
Joined: Thu Jun 19, 2008 2:21 pm
Top

Postby brainz » Sat Jul 19, 2008 8:32 am

dude, spiro

http://www.rohitab.com/discuss/lofivers ... 31076.html

this didnt work out for you?
brainz
I Ask A Lot Of Questions
 
Posts: 12
Joined: Thu Jun 19, 2008 2:21 pm
Top

Postby L. Spiro » Sat Jul 19, 2008 11:10 am

I have already implemented the update from that source and it is ready for the next release.


And just so you know, what he gave me is this:

[code]Path: ntkrnlmp.pdb
Version: 7.00
Streams: 18
Unused: none

TPI Version: 20040203
Index range: 1000..20FE
Type count: 4351

HDR.vers = 20040203
HDR.cbHdr = 0x00000038
HDR.tiMin = 0x00001000
HDR.tiMac = 0x000020FF
HDR.cbGprec = 0x0004203C
HDR.tpihash.sn = 0x0011
HDR.tpihash.snPad = 0xFFFF
HDR.tpihash.cbHashKey = 0x00000004
HDR.tpihash.cHashBuckets = 0x00008003
HDR.tpihash.offcbHashVals.off = 0x00000000
HDR.tpihash.offcbHashVals.cb = 0x000043FC
HDR.tpihash.offcbTiOff.off = 0x000043FC
HDR.tpihash.offcbTiOff.cb = 0x00000110
HDR.tpihash.offcbHashAdj.off = 0x0000450C
HDR.tpihash.offcbHashAdj.cb = 0x00000000

1000: 1001 00000038 ???
1001: 1002 00000044 pointer 00001000
1002: 1002 00000050 pointer 00001000
1003: 1505 0000005C struct 00000000 00000000 0000 00000000 00000000 [LIST_ENTRY64]
1004: 1002 00000080 pointer 00001003
1005: 1203 0000008C
150D field 00000000 (00000023) [Flink]
150D field 00000008 (00000023) [Blink]
1006: 1505 000000B0 struct 00001005 00000010 0002 00000000 00000000 [LIST_ENTRY64]
1007: 1505 000000D4 struct 00000000 00000000 0000 00000000 00000000 [LIST_ENTRY32]
1008: 1002 000000F8 pointer 00001007
1009: 1203 00000104
150D field 00000000 (00000022) [Flink]
150D field 00000004 (00000022) [Blink]
100A: 1505 00000128 struct 00001009 00000008 0002 00000000 00000000 [LIST_ENTRY32]
100B: 1001 0000014C ???
100C: 1002 00000158 pointer 0000100B
100D: 1201 00000164 arglist 00000002 0000100C 00000075
100E: 1008 00000174 proc 00000075 0000100D 0002 00
100F: 1002 00000184 pointer 0000100E
1010: 1001 00000190 ???
1011: 1002 0000019C pointer 00001010
1012: 1201 000001A8 arglist 00000002 00001011 00000075
1013: 1008 000001B8 proc 00000075 00001012 0002 00
1014: 1002 000001C8 pointer 00001013
1015: 1001 000001D4 ???
1016: 1002 000001E0 pointer 00001015
1017: 1506 000001EC union 00000000 00000000 0000 [_ULARGE_INTEGER]
1018: 1203 0000020C
150D field 00000000 (00000022) [LowPart]
150D field 00000004 (00000022) [HighPart]
1019: 1505 00000238 struct 00001018 00000008 0002 00000000 00000000 [<unnamed-tag>]
101A: 1203 0000025C
150D field 00000000 (00000022) [LowPart]
150D field 00000004 (00000022) [HighPart]
150D field 00000000 (00001019) [u]
150D field 00000000 (00000023) [QuadPart]
101B: 1506 000002A8 union 0000101A 00000008 0004 [_ULARGE_INTEGER]
101C: 1506 000002C8 union 00000000 00000000 0000 [_LARGE_INTEGER]
101D: 1203 000002E8
150D field 00000000 (00000022) [LowPart]
150D field 00000004 (00000012) [HighPart]
101E: 1505 00000314 struct 0000101D 00000008 0002 00000000 00000000 [<unnamed-tag>]
101F: 1203 00000338
150D field 00000000 (00000022) [LowPart]
150D field 00000004 (00000012) [HighPart]
150D field 00000000 (0000101E) [u]
150D field 00000000 (00000013) [QuadPart]
1020: 1506 00000384 union 0000101F 00000008 0004 [_LARGE_INTEGER]
1021: 1201 000003A4 arglist 00000000
1022: 1008 000003AC proc 00000023 00001021 0000 07
1023: 1002 000003BC pointer 00001022
1024: 1505 000003C8 struct 00000000 00000000 0000 00000000 00000000 [_TP_CALLBACK_ENVIRON]
1025: 1002 000003F4 pointer 00001024
1026: 1505 00000400 struct 00000000 00000000 0000 00000000 00000000 [_TP_POOL]
1027: 1002 00000420 pointer 00001026
1028: 1505 0000042C struct 00000000 00000000 0000 00000000 00000000 [_TP_CLEANUP_GROUP]
1029: 1002 00000454 pointer 00001028
102A: 1201 00000460 arglist 00000002 00000403 00000403
102B: 1008 00000470 proc 00000003 0000102A 0002 07
102C: 1002 00000480 pointer 0000102B
102D: 1505 0000048C struct 00000000 00000000 0000 00000000 00000000 [_ACTIVATION_CONTEXT]
102E: 1002 000004B8 pointer 0000102D
102F: 1505 000004C4 struct 00000000 00000000 0000 00000000 00000000 [_TP_CALLBACK_INSTANCE]
1030: 1002 000004F0 pointer 0000102F
1031: 1201 000004FC arglist 00000002 00001030 00000403
1032: 1008 0000050C proc 00000003 00001031 0002 07
1033: 1002 0000051C pointer 00001032
1034: 1205 00000528 bitfield (00000022) 00 : 01
1035: 1205 00000534 bitfield (00000022) 01 : 1F
1036: 1203 00000540
150D field 00000000 (00001034) [LongFunction]
150D field 00000000 (00001035) [Private]
1037: 1505 00000570 struct 00001036 00000004 0002 00000000 00000000 [<unnamed-tag>]
1038: 1203 00000594
150D field 00000000 (00000022) [Flags]
150D field 00000000 (00001037) [s]
1039: 1506 000005B4 union 00001038 00000004 0002 [<unnamed-tag>]
103A: 1203 000005D0
150D field 00000000 (00000022) [Version]
150D field 00000004 (00001027) [Pool]
150D field 00000008 (00001029) [CleanupGroup]
150D field 0000000C (0000102C) [CleanupGroupCancelCallback]
150D field 00000010 (00000403) [RaceDll]
150D field 00000014 (0000102E) [ActivationContext]
150D field 00000018 (00001033) [FinalizationCallback]
150D field 0000001C (00001039) [u]
103B: 1505 00000694 struct 0000103A 00000020 0008 00000000 00000000 [_TP_CALLBACK_ENVIRON]
103C: 1505 000006C0 struct 00000000 00000000 0000 00000000 00000000 [_TP_TASK_CALLBACKS]
103D: 1001 000006EC ???
103E: 1002 000006F8 pointer 0000103D
103F: 1505 00000704 struct 00000000 00000000 0000 00000000 00000000 [_TP_TASK]
1040: 1002 00000724 pointer 0000103F
1041: 1201 00000730 arglist 00000002 00001030 00001040
1042: 1008 00000740 proc 00000003 00001041 0002 07
1043: 1002 00000750 pointer 00001042
1044: 1201 0000075C arglist 00000002 00001040 00001027
1045: 1008 0000076C proc 00000003 00001044 0002 07
1046: 1002 0000077C pointer 00001045
1047: 1203 00000788
150D field 00000000 (00001043) [ExecuteCallback]
150D field 00000004 (00001046) [Unposted]
1048: 1505 000007BC struct 00001047 00000008 0002 00000000 00000000 [_TP_TASK_CALLBACKS]
1049: 1203 000007E8
150D field 00000000 (0000103E) [Callbacks]
104A: 1505 00000800 struct 00001049 00000004 0001 00000000 00000000 [_TP_TASK]
104B: 1505 00000820 struct 00000000 00000000 0000 00000000 00000000 [_TP_DIRECT]
104C: 1002 00000844 pointer 0000104B
104D: 1505 00000850 struct 00000000 00000000 0000 00000000 00000000 [_IO_STATUS_BLOCK]
104E: 1002 00000878 pointer 0000104D
104F: 1201 00000884 arglist 00000004 00001030 0000104C 00000403 0000104E
1050: 1008 0000089C proc 00000003 0000104F 0004 07
1051: 1002 000008AC pointer 00001050
1052: 1203 000008B8
150D field 00000000 (00001051) [Callback]
1053: 1505 000008D0 struct 00001052 00000004 0001 00000000 00000000 [_TP_DIRECT]
1054: 1505 000008F4 struct 00000000 00000000 0000 00000000 00000000 [_LIST_ENTRY]
1055: 1002 00000918 pointer 00001054
1056: 1203 00000924
150D field 00000000 (00001055) [Flink]
150D field 00000004 (00001055) [Blink]
1057: 1505 00000948 struct 00001056 00000008 0002 00000000 00000000 [_LIST_ENTRY]
1058: 1001 0000096C ???
1059: 1002 00000978 pointer 00001058
105A: 1505 00000984 struct 00000000 00000000 0000 00000000 00000000 [_SINGLE_LIST_ENTRY]
105B: 1002 000009B0 pointer 0000105A
105C: 1203 000009BC
150D field 00000000 (0000105B) [Next]
105D: 1505 000009D0 struct 0000105C 00000004 0001 00000000 00000000 [_SINGLE_LIST_ENTRY]
105E: 1505 000009FC struct 00000000 00000000 0000 00000000 00000000 [_UNICODE_STRING]
105F: 1002 00000A24 pointer 0000105E
1060: 1203 00000A30
150D field 00000000 (00000021) [Length]
150D field 00000002 (00000021) [MaximumLength]
150D field 00000004 (00000421) [Buffer]
1061: 1505 00000A74 struct 00001060 00000008 0003 00000000 00000000 [_UNICODE_STRING]
1062: 1505 00000A9C struct 00000000 00000000 0000 00000000 00000000 [_STRING]
1063: 1002 00000ABC pointer 00001062
1064: 1203 00000AC8
150D field 00000000 (00000021) [Length]
150D field 00000002 (00000021) [MaximumLength]
150D field 00000004 (00000470) [Buffer]
1065: 1505 00000B0C struct 00001064 00000008 0003 00000000 00000000 [_STRING]
1066: 1001 00000B2C ???
1067: 1002 00000B38 pointer 00001066
1068: 1505 00000B44 struct 00000000 00000000 0000 00000000 00000000 [_LUID]
1069: 1505 00000B60 struct 0000101D 00000008 0002 00000000 00000000 [_LUID]
106A: 1505 00000B7C struct 00000000 00000000 0000 00000000 00000000 [_IMAGE_NT_HEADERS]
106B: 1002 00000BA4 pointer 0000106A
106C: 1505 00000BB0 struct 00000000 00000000 0000 00000000 00000000 [_IMAGE_FILE_HEADER]
106D: 1505 00000BDC struct 00000000 00000000 0000 00000000 00000000 [_IMAGE_OPTIONAL_HEADER]
106E: 1203 00000C0C
150D field 00000000 (00000022) [Signature]
150D field 00000004 (0000106C) [FileHeader]
150D field 00000018 (0000106D) [OptionalHeader]
106F: 1505 00000C58 struct 0000106E 000000F8 0003 00000000 00000000 [_IMAGE_NT_HEADERS]
1070: 1001 00000C80 ???
1071: 1002 00000C8C pointer 00001070
1072: 1201 00000C98 arglist 00000003 00001071 00000413 00000413
1073: 1008 00000CAC proc 00000013 00001072 0003 04
1074: 1002 00000CBC pointer 00001073
1075: 1505 00000CC8 struct 00000000 00000000 0000 00000000 00000000 [_KPRCB]
1076: 1002 00000CE8 pointer 00001075
1077: 1505 00000CF4 struct 00000000 00000000 0000 00000000 00000000 [_KTHREAD]
1078: 1002 00000D14 pointer 00001077
1079: 1505 00000D20 struct 00000000 00000000 0000 00000000 00000000 [_KPROCESSOR_STATE]
107A: 1503 00000D48 array 00000022 00000022 00000040
107B: 1503 00000D58 array 00000020 00000022 00000002
107C: 1503 00000D68 array 00000020 00000022 00000050
107D: 1505 00000D78 struct 00000000 00000000 0000 00000000 00000000 [_KSPIN_LOCK_QUEUE]
107E: 1503 00000DA0 array 0000107D 00000022 00000188
107F: 1505 00000DB0 struct 00000000 00000000 0000 00000000 00000000 [_KNODE]
1080: 1002 00000DD0 pointer 0000107F
1081: 1503 00000DDC array 00000022 00000022 0000000C
1082: 1505 00000DEC struct 00000000 00000000 0000 00000000 00000000 [_PP_LOOKASIDE_LIST]
1083: 1503 00000E18 array 00001082 00000022 00000080
1084: 1505 00000E28 struct 00000000 00000000 0000 00000000 00000000 [_GENERAL_LOOKASIDE_POOL]
1085: 1503 00000E58 array 00001084 00000022 00000900
1086: 1001 00000E68 ???
1087: 1503 00000E74 array 00000020 00000022 00000034
1088: 1002 00000E84 pointer 00000003
1089: 1503 00000E90 array 00001088 00000022 0000000C
108A: 1201 00000EA0 arglist 00000004 00000403 00000403 00000403 00000403
108B: 1008 00000EB8 proc 00000003 0000108A 0004 07
108C: 1002 00000EC8 pointer 0000108B
108D: 1503 00000ED4 array 00000020 00000022 00000028
108E: 1002 00000EE4 pointer 00001075
108F: 1503 00000EF0 array 00000020 00000022 00000038
1090: 1505 00000F00 struct 00000000 00000000 0000 00000000 00000000 [_KDPC_DATA]
1091: 1503 00000F24 array 00001090 00000022 00000028
1092: 1001 00000F34 ???
1093: 1505 00000F40 struct 00000000 00000000 0000 00000000 00000000 [_KEVENT]
1094: 1503 00000F60 array 00000020 00000022 00000006
1095: 1505 00000F70 struct 00000000 00000000 0000 00000000 00000000 [_KDPC]
1096: 1503 00000F8C array 00000022 00000022 00000008
1097: 1503 00000F9C array 00000023 00000022 00000018
1098: 1503 00000FAC array 00001054 00000022 00000100
1099: 1503 00000FBC array 00000020 00000022 00000003
109A: 1503 00000FCC array 00000020 00000022 0000000D
109B: 1503 00000FDC array 00000020 00000022 00000005
109C: 1001 00000FEC ???
109D: 1505 00000FF8 struct 00000000 00000000 0000 00000000 00000000 [_FX_SAVE_AREA]
109E: 1505 0000101C struct 00000000 00000000 0000 00000000 00000000 [_PROCESSOR_POWER_STATE]
109F: 1505 0000104C struct 00000000 00000000 0000 00000000 00000000 [_KTIMER]
10A0: 1506 0000106C union 00000000 00000000 0000 [_SLIST_HEADER]
10A1: 1505 00001088 struct 00000000 00000000 0000 00000000 00000000 [_CACHE_DESCRIPTOR]
10A2: 1503 000010B0 array 000010A1 00000022 0000003C
10A3: 1503 000010C0 array 00000022 00000022 00000014
10A4: 1203 000010D0
150D field 00000000 (00000021) [MinorVersion]
150D field 00000002 (00000021) [MajorVersion]
150D field 00000004 (00001078) [CurrentThread]
150D field 00000008 (00001078) [NextThread]
150D field 0000000C (00001078) [IdleThread]
150D field 00000010 (00000020) [Number]
150D field 00000011 (00000020) [NestingLevel]
150D field 00000012 (00000021) [BuildType]
150D field 00000014 (00000022) [SetMember]
150D field 00000018 (00000070) [CpuType]
150D field 00000019 (00000070) [CpuID]
150D field 0000001A (00000021) [CpuStep]
150D field 0000001A (00000020) [CpuStepping]
150D field 0000001B (00000020) [CpuModel]
150D field 0000001C (00001079) [ProcessorState]
150D field 0000033C (0000107A) [KernelReserved]
150D field 0000037C (0000107A) [HalReserved]
150D field 000003BC (00000022) [CFlushSize]
150D field 000003C0 (00000020) [CoresPerPhysicalProcessor]
150D field 000003C1 (00000020) [LogicalProcessorsPerCore]
150D field 000003C2 (0000107B) [PrcbPad0]
150D field 000003C4 (00000022) [MHz]
150D field 000003C8 (0000107C) [PrcbPad1]
150D field 00000418 (0000107E) [LockQueue]
150D field 000005A0 (00001078) [NpxThread]
150D field 000005A4 (00000022) [InterruptCount]
150D field 000005A8 (00000022) [KernelTime]
150D field 000005AC (00000022) [UserTime]
150D field 000005B0 (00000022) [DpcTime]
150D field 000005B4 (00000022) [DpcTimeCount]
150D field 000005B8 (00000022) [InterruptTime]
150D field 000005BC (00000022) [AdjustDpcThreshold]
150D field 000005C0 (00000022) [PageColor]
150D field 000005C4 (00000020) [SkipTick]
150D field 000005C5 (00000020) [DebuggerSavedIRQL]
150D field 000005C6 (00000020) [NodeColor]
150D field 000005C7 (00000020) [PollSlot]
150D field 000005C8 (00000022) [NodeShiftedColor]
150D field 000005CC (00001080) [ParentNode]
150D field 000005D0 (00000022) [MultiThreadProcessorSet]
150D field 000005D4 (00001076) [MultiThreadSetMaster]
150D field 000005D8 (00000022) [SecondaryColorMask]
150D field 000005DC (00000022) [DpcTimeLimit]
150D field 000005E0 (00000022) [CcFastReadNoWait]
150D field 000005E4 (00000022) [CcFastReadWait]
150D field 000005E8 (00000022) [CcFastReadNotPossible]
150D field 000005EC (00000022) [CcCopyReadNoWait]
150D field 000005F0 (00000022) [CcCopyReadWait]
150D field 000005F4 (00000022) [CcCopyReadNoWaitMiss]
150D field 000005F8 (00001015) [MmSpinLockOrdering]
150D field 000005FC (00001015) [IoReadOperationCount]
150D field 00000600 (00001015) [IoWriteOperationCount]
150D field 00000604 (00001015) [IoOtherOperationCount]
150D field 00000608 (0000101C) [IoReadTransferCount]
150D field 00000610 (0000101C) [IoWriteTransferCount]
150D field 00000618 (0000101C) [IoOtherTransferCount]
150D field 00000620 (00000022) [CcFastMdlReadNoWait]
150D field 00000624 (00000022) [CcFastMdlReadWait]
150D field 00000628 (00000022) [CcFastMdlReadNotPossible]
150D field 0000062C (00000022) [CcMapDataNoWait]
150D field 00000630 (00000022) [CcMapDataWait]
150D field 00000634 (00000022) [CcPinMappedDataCount]
150D field 00000638 (00000022) [CcPinReadNoWait]
150D field 0000063C (00000022) [CcPinReadWait]
150D field 00000640 (00000022) [CcMdlReadNoWait]
150D field 00000644 (00000022) [CcMdlReadWait]
150D field 00000648 (00000022) [CcLazyWriteHotSpots]
150D field 0000064C (00000022) [CcLazyWriteIos]
150D field 00000650 (00000022) [CcLazyWritePages]
150D field 00000654 (00000022) [CcDataFlushes]
150D field 00000658 (00000022) [CcDataPages]
150D field 0000065C (00000022) [CcLostDelayedWrites]
150D field 00000660 (00000022) [CcFastReadResourceMiss]
150D field 00000664 (00000022) [CcCopyReadWaitMiss]
150D field 00000668 (00000022) [CcFastMdlReadResourceMiss]
150D field 0000066C (00000022) [CcMapDataNoWaitMiss]
150D field 00000670 (00000022) [CcMapDataWaitMiss]
150D field 00000674 (00000022) [CcPinReadNoWaitMiss]
150D field 00000678 (00000022) [CcPinReadWaitMiss]
150D field 0000067C (00000022) [CcMdlReadNoWaitMiss]
150D field 00000680 (00000022) [CcMdlReadWaitMiss]
150D field 00000684 (00000022) [CcReadAheadIos]
150D field 00000688 (00000022) [KeAlignmentFixupCount]
150D field 0000068C (00000022) [KeExceptionDispatchCount]
150D field 00000690 (00000022) [KeSystemCalls]
150D field 00000694 (00001081) [PrcbPad2]
150D field 000006A0 (00001083) [PPLookasideList]
150D field 00000720 (00001085) [PPNPagedLookasideList]
150D field 00001020 (00001085) [PPPagedLookasideList]
150D field 00001920 (00001086) [PacketBarrier]
150D field 00001924 (00001015) [ReverseStall]
150D field 00001928 (00000403) [IpiFrame]
150D field 0000192C (00001087) [PrcbPad3]
150D field 00001960 (00001089) [CurrentPacket]
150D field 0000196C (00001086) [TargetSet]
150D field 00001970 (0000108C) [WorkerRoutine]
150D field 00001974 (00001086) [IpiFrozen]
150D field 00001978 (0000108D) [PrcbPad4]
150D field 000019A0 (00001086) [RequestSummary]
150D field 000019A4 (0000108E) [SignalDone]
150D field 000019A8 (0000108F) [PrcbPad5]
150D field 000019E0 (00001091) [DpcData]
150D field 00001A08 (00000403) [DpcStack]
150D field 00001A0C (00000012) [MaximumDpcQueueDepth]
150D field 00001A10 (00000022) [DpcRequestRate]
150D field 00001A14 (00000022) [MinimumDpcRate]
150D field 00001A18 (00001092) [DpcInterruptRequested]
150D field 00001A19 (00001092) [DpcThreadRequested]
150D field 00001A1A (00001092) [DpcRoutineActive]
150D field 00001A1B (00001092) [DpcThreadActive]
150D field 00001A1C (00000022) [PrcbLock]
150D field 00001A20 (00000022) [DpcLastCount]
150D field 00001A24 (00001086) [TimerHand]
150D field 00001A28 (00001086) [TimerRequest]
150D field 00001A2C (00000403) [PrcbPad41]
150D field 00001A30 (00001093) [DpcEvent]
150D field 00001A40 (00000020) [ThreadDpcEnable]
150D field 00001A41 (00001092) [QuantumEnd]
150D field 00001A42 (00000020) [PrcbPad50]
150D field 00001A43 (00001092) [IdleSchedule]
150D field 00001A44 (00000012) [DpcSetEventRequest]
150D field 00001A48 (00000012) [Sleeping]
150D field 00001A4C (00000022) [PeriodicCount]
150D field 00001A50 (00000022) [PeriodicBias]
150D field 00001A54 (00001094) [PrcbPad51]
150D field 00001A5C (00000012) [TickOffset]
150D field 00001A60 (00001095) [CallDpc]
150D field 00001A80 (00000012) [ClockKeepAlive]
150D field 00001A84 (00000020) [ClockCheckSlot]
150D field 00001A85 (00000020) [ClockPollCycle]
150D field 00001A86 (0000107B) [PrcbPad6]
150D field 00001A88 (00000012) [DpcWatchdogPeriod]
150D field 00001A8C (00000012) [DpcWatchdogCount]
150D field 00001A90 (00000012) [ThreadWatchdogPeriod]
150D field 00001A94 (00000012) [ThreadWatchdogCount]
150D field 00001A98 (00001096) [PrcbPad70]
150D field 00001AA0 (00001054) [WaitListHead]
150D field 00001AA8 (00000022) [WaitLock]
150D field 00001AAC (00000022) [ReadySummary]
150D field 00001AB0 (00000022) [QueueIndex]
150D field 00001AB4 (0000105A) [DeferredReadyListHead]
150D field 00001AB8 (00000023) [StartCycles]
150D field 00001AC0 (00000023) [CycleTime]
150D field 00001AC8 (00001097) [PrcbPad71]
150D field 00001AE0 (00001098) [DispatcherReadyListHead]
150D field 00001BE0 (00000403) [ChainedInterruptList]
150D field 00001BE4 (00000012) [LookasideIrpFloat]
150D field 00001BE8 (00001015) [MmPageFaultCount]
150D field 00001BEC (00001015) [MmCopyOnWriteCount]
150D field 00001BF0 (00001015) [MmTransitionCount]
150D field 00001BF4 (00001015) [MmCacheTransitionCount]
150D field 00001BF8 (00001015) [MmDemandZeroCount]
150D field 00001BFC (00001015) [MmPageReadCount]
150D field 00001C00 (00001015) [MmPageReadIoCount]
150D field 00001C04 (00001015) [MmCacheReadCount]
150D field 00001C08 (00001015) [MmCacheIoCount]
150D field 00001C0C (00001015) [MmDirtyPagesWriteCount]
150D field 00001C10 (00001015) [MmDirtyWriteIoCount]
150D field 00001C14 (00001015) [MmMappedPagesWriteCount]
150D field 00001C18 (00001015) [MmMappedWriteIoCount]
150D field 00001C1C (00001086) [CachedCommit]
150D field 00001C20 (00001086) [CachedResidentAvailable]
150D field 00001C24 (00000403) [HyperPte]
150D field 00001C28 (00000020) [CpuVendor]
150D field 00001C29 (00001099) [PrcbPad8]
150D field 00001C2C (0000109A) [VendorString]
150D field 00001C39 (00000020) [InitialApicId]
150D field 00001C3A (00000020) [LogicalProcessorsPerPhysicalProcessor]
150D field 00001C3B (0000109B) [PrcbPad9]
150D field 00001C40 (00000022) [FeatureBits]
150D field 00001C48 (0000101C) [UpdateSignature]
150D field 00001C50 (0000109C) [IsrTime]
150D field 00001C58 (00000023) [SpareField1]
150D field 00001C60 (0000109D) [NpxSaveArea]
150D field 00001E70 (0000109E) [PowerState]
150D field 00001F38 (00001095) [DpcWatchdogDpc]
150D field 00001F58 (0000109F) [DpcWatchdogTimer]
150D field 00001F80 (00000403) [WheaInfo]
150D field 00001F84 (00000403) [EtwSupport]
150D field 00001F88 (000010A0) [InterruptObjectPool]
150D field 00001F90 (000010A0) [HypercallPageList]
150D field 00001F98 (00000403) [HypercallPageVirtual]
150D field 00001F9C (00000403) [VirtualApicAssist]
150D field 00001FA0 (00000423) [StatisticsPage]
150D field 00001FA4 (00000403) [RateControl]
150D field 00001FA8 (000010A2) [Cache]
150D field 00001FE4 (00000022) [CacheCount]
150D field 00001FE8 (000010A3) [CacheProcessorMask]
150D field 00001FFC (00000022) [PackageProcessorSet]
150D field 00002000 (00000022) [CoreProcessorSet]
10A5: 1505 0000246C struct 000010A4 00002008 00BE 00000000 00000000 [_KPRCB]
10A6: 1505 0000248C struct 00000000 00000000 0000 00000000 00000000 [_KPCR]
10A7: 1002 000024A8 pointer 000010A6
10A8: 1505 000024B4 struct 00000000 00000000 0000 00000000 00000000 [_NT_TIB]
10A9: 1505 000024D4 struct 00000000 00000000 0000 00000000 00000000 [_EXCEPTION_REGISTRATION_RECORD]
10AA: 1002 0000250C pointer 000010A9
10AB: 1505 00002518 struct 00000000 00000000 0000 00000000 00000000 [_KIDTENTRY]
10AC: 1002 0000253C pointer 000010AB
10AD: 1505 00002548 struct 00000000 00000000 0000 00000000 00000000 [_KGDTENTRY]
10AE: 1002 0000256C pointer 000010AD
10AF: 1505 00002578 struct 00000000 00000000 0000 00000000 00000000 [_KTSS]
10B0: 1002 00002594 pointer 000010AF
10B1: 1503 000025A0 array 00000022 00000022 00000038
10B2: 1503 000025B0 array 00000022 00000022 00000044
10B3: 1203 000025C0
150D field 00000000 (000010A8) [NtTib]
150D field 00000000 (000010AA) [Used_ExceptionList]
150D field 00000004 (00000403) [Used_StackBase]
150D field 00000008 (00000403) [Spare2]
150D field 0000000C (00000403) [TssCopy]
150D field 00000010 (00000022) [ContextSwitches]
150D field 00000014 (00000022) [SetMemberCopy]
150D field 00000018 (00000403) [Used_Self]
150D field 0000001C (000010A7) [SelfPcr]
150D field 00000020 (00001076) [Prcb]
150D field 00000024 (00000020) [Irql]
150D field 00000028 (00000022) [IRR]
150D field 0000002C (00000022) [IrrActive]
150D field 00000030 (00000022) [IDR]
150D field 00000034 (00000403) [KdVersionBlock]
150D field 00000038 (000010AC) [IDT]
150D field 0000003C (000010AE) [GDT]
150D field 00000040 (000010B0) [TSS]
150D field 00000044 (00000021) [MajorVersion]
150D field 00000046 (00000021) [MinorVersion]
150D field 00000048 (00000022) [SetMember]
150D field 0000004C (00000022) [StallScaleFactor]
150D field 00000050 (00000020) [SpareUnused]
150D field 00000051 (00000020) [Number]
150D field 00000052 (00000020) [Spare0]
150D field 00000053 (00000020) [SecondLevelCacheAssociativity]
150D field 00000054 (00000022) [VdmAlert]
150D field 00000058 (000010B1) [KernelReserved]
150D field 00000090 (00000022) [SecondLevelCacheSize]
150D field 00000094 (0000107A) [HalReserved]
150D field 000000D4 (00000022) [InterruptMode]
150D field 000000D8 (00000020) [Spare1]
150D field 000000DC (000010B2) [KernelReserved2]
150D field 00000120 (00001075) [PrcbData]
10B4: 1505 000028C0 struct 000010B3 00002128 0022 00000000 00000000 [_KPCR]
10B5: 1505 000028DC struct 00000000 00000000 0000 00000000 00000000 [_KAPC]
10B6: 1002 000028F8 pointer 000010B5
10B7: 1201 00002904 arglist 00000003 00000403 00000403 00000403
10B8: 1008 00002918 proc 00000003 000010B7 0003 07
10B9: 1002 00002928 pointer 000010B8
10BA: 1002 00002934 pointer 000010B9
10BB: 1002 00002940 pointer 00000403
10BC: 1201 0000294C arglist 00000005 000010B6 000010BA 000010BB 000010BB 000010BB
10BD: 1008 00002968 proc 00000003 000010BC 0005 07
10BE: 1002 00002978 pointer 000010BD
10BF: 1201 00002984 arglist 00000001 000010B6
10C0: 1008 00002990 proc 00000003 000010BF 0001 07
10C1: 1002 000029A0 pointer 000010C0
10C2: 1203 000029AC
150D field 00000000 (00000020) [Type]
150D field 00000001 (00000020) [SpareByte0]
150D field 00000002 (00000020) [Size]
150D field 00000003 (00000020) [SpareByte1]
150D field 00000004 (00000022) [SpareLong0]
150D field 00000008 (00001078) [Thread]
150D field 0000000C (00001054) [ApcListEntry]
150D field 00000014 (000010BE) [KernelRoutine]
150D field 00000018 (000010C1) [RundownRoutine]
150D field 0000001C (000010B9) [NormalRoutine]
150D field 00000020 (00000403) [NormalContext]
150D field 00000024 (00000403) [SystemArgument1]
150D field 00000028 (00000403) [SystemArgument2]
150D field 0000002C (00000070) [ApcStateIndex]
150D field 0000002D (00000070) [ApcMode]
150D field 0000002E (00000020) [Inserted]
10C3: 1505 00002B20 struct 000010C2 00000030 0010 00000000 00000000 [_KAPC]
10C4: 1505 00002B3C struct 00000000 00000000 0000 00000000 00000000 [_DISPATCHER_HEADER]
10C5: 1505 00002B68 struct 00000000 00000000 0000 00000000 00000000 [_KAPC_STATE]
10C6: 1503 00002B8C array 00000020 00000022 00000017
10C7: 1001 00002B9C ???
10C8: 1505 00002BA8 struct 00000000 00000000 0000 00000000 00000000 [_KWAIT_BLOCK]
10C9: 1002 00002BCC pointer 000010C8
10CA: 1505 00002BD8 struct 00000000 00000000 0000 00000000 00000000 [_KGATE]
10CB: 1002 00002BF8 pointer 000010CA
10CC: 1205 00002C04 bitfield (00000022) 01 : 01
10CD: 1205 00002C10 bitfield (00000022) 02 : 01
10CE: 1205 00002C1C bitfield (00000022) 03 : 01
10CF: 1205 00002C28 bitfield (00000022) 04 : 01
10D0: 1205 00002C34 bitfield (00000022) 05 : 01
10D1: 1205 00002C40 bitfield (00000022) 06 : 01
10D2: 1205 00002C4C bitfield (00000022) 07 : 01
10D3: 1205 00002C58 bitfield (00000022) 08 : 18
10D4: 1505 00002C64 struct 00000000 00000000 0000 00000000 00000000 [_KQUEUE]
10D5: 1002 00002C84 pointer 000010D4
10D6: 1205 00002C90 bitfield (00001086) 00 : 01
10D7: 1205 00002C9C bitfield (00001086) 01 : 01
10D8: 1205 00002CA8 bitfield (00001086) 02 : 01
10D9: 1205 00002CB4 bitfield (00001086) 03 : 01
10DA: 1205 00002CC0 bitfield (00001086) 04 : 01
10DB: 1205 00002CCC bitfield (00001086) 05 : 01
10DC: 1205 00002CD8 bitfield (00001086) 06 : 01
10DD: 1205 00002CE4 bitfield (00001086) 07 : 01
10DE: 1205 00002CF0 bitfield (00001086) 08 : 01
10DF: 1205 00002CFC bitfield (00001086) 09 : 17
10E0: 1503 00002D08 array 000010C8 00000022 00000060
10E1: 1503 00002D18 array 00000020 00000022 0000002F
10E2: 1503 00002D28 array 00000020 00000022 00000047
10E3: 1503 00002D38 array 00000020 00000022 0000005F
10E4: 1505 00002D48 struct 00000000 00000000 0000 00000000 00000000 [_KTRAP_FRAME]
10E5: 1002 00002D6C pointer 000010E4
10E6: 1505 00002D78 struct 00000000 00000000 0000 00000000 00000000 [_KPROCESS]
10E7: 1002 00002D98 pointer 000010E6
10E8: 1002 00002DA4 pointer 000010C5
10E9: 1503 00002DB0 array 000010E8 00000022 00000008
10EA: 1503 00002DC0 array 00000020 00000022 00000001
10EB: 1503 00002DD0 array 00000020 00000022 00000004
10EC: 1503 00002DE0 array 00000020 00000022 00000024
10ED: 1505 00002DF0 struct 00000000 00000000 0000 00000000 00000000 [_KSEMAPHORE]
10EE: 1503 00002E14 array 00000020 00000022 00000014
10EF: 1203 00002E24
150D field 00000000 (000010C4) [Header]
150D field 00000010 (0000109C) [CycleTime]
150D field 00000018 (00001086) [HighCycleTime]
150D field 00000020 (00000023) [QuantumTarget]
150D field 00000028 (00000403) [InitialStack]
150D field 0000002C (00001088) [StackLimit]
150D field 00000030 (00000403) [KernelStack]
150D field 00000034 (00000022) [ThreadLock]
150D field 00000038 (000010C5) [ApcState]
150D field 00000038 (000010C6) [ApcStateFill]
150D field 0000004F (00000070) [Priority]
150D field 00000050 (000010C7) [NextProcessor]
150D field 00000052 (000010C7) [DeferredProcessor]
150D field 00000054 (00000022) [ApcQueueLock]
150D field 00000058 (00000022) [ContextSwitches]
150D field 0000005C (00001092) [State]
150D field 0000005D (00000020) [NpxState]
150D field 0000005E (00000020) [WaitIrql]
150D field 0000005F (00000070) [WaitMode]
150D field 00000060 (00000012) [WaitStatus]
150D field 00000064 (000010C9) [WaitBlockList]
150D field 00000064 (000010CB) [GateObject]
150D field 00000068 (00001034) [KernelStackResident]
150D field 00000068 (000010CC) [ReadyTransition]
150D field 00000068 (000010CD) [ProcessReadyQueue]
150D field 00000068 (000010CE) [WaitNext]
150D field 00000068 (000010CF) [SystemAffinityActive]
150D field 00000068 (000010D0) [Alertable]
150D field 00000068 (000010D1) [GdiFlushActive]
150D field 00000068 (000010D2) [UserStackWalkActive]
150D field 00000068 (000010D3) [Reserved]
150D field 00000068 (00000012) [MiscFlags]
150D field 0000006C (00000020) [WaitReason]
150D field 0000006D (00001092) [SwapBusy]
150D field 0000006E (0000107B) [Alerted]
150D field 00000070 (00001054) [WaitListEntry]
150D field 00000070 (0000105A) [SwapListEntry]
150D field 00000078 (000010D5) [Queue]
150D field 0000007C (00000022) [WaitTime]
150D field 00000080 (00000011) [KernelApcDisable]
150D field 00000082 (00000011) [SpecialApcDisable]
150D field 00000080 (00000022) [CombinedApcDisable]
150D field 00000084 (00000403) [Teb]
150D field 00000088 (0000109F) [Timer]
150D field 00000088 (0000108D) [TimerFill]
150D field 000000B0 (000010D6) [AutoAlignment]
150D field 000000B0 (000010D7) [DisableBoost]
150D field 000000B0 (000010D8) [EtwStackTraceApc1Inserted]
150D field 000000B0 (000010D9) [EtwStackTraceApc2Inserted]
150D field 000000B0 (000010DA) [CycleChargePending]
150D field 000000B0 (000010DB) [CalloutActive]
150D field 000000B0 (000010DC) [ApcQueueable]
150D field 000000B0 (000010DD) [EnableStackSwap]
150D field 000000B0 (000010DE) [GuiThread]
150D field 000000B0 (000010DF) [ReservedFlags]
150D field 000000B0 (00001015) [ThreadFlags]
150D field 000000B8 (000010E0) [WaitBlock]
150D field 000000B8 (000010C6) [WaitBlockFill0]
150D field 000000CF (00000020) [IdealProcessor]
150D field 000000B8 (000010E1) [WaitBlockFill1]
150D field 000000E7 (00000070) [PreviousMode]
150D field 000000B8 (000010E2) [WaitBlockFill2]
150D field 000000FF (00000020) [ResourceIndex]
150D field 000000B8 (000010E3) [WaitBlockFill3]
150D field 00000117 (00000020) [LargeStack]
150D field 00000118 (00001054) [QueueListEntry]
150D field 00000120 (000010E5) [TrapFrame]
150D field 00000124 (00000403) [FirstArgument]
150D field 00000128 (00000403) [CallbackStack]
150D field 00000128 (00000022) [CallbackDepth]
150D field 0000012C (00000403) [ServiceTable]
150D field 00000130 (00000020) [ApcStateIndex]
150D field 00000131 (00000070) [BasePriority]
150D field 00000132 (00000070) [PriorityDecrement]
150D field 00000133 (00000020) [Preempted]
150D field 00000134 (00000020) [AdjustReason]
150D field 00000135 (00000070) [AdjustIncrement]
150D field 00000136 (00000020) [Spare01]
150D field 00000137 (00000070) [Saturation]
150D field 00000138 (00000022) [SystemCallNumber]
150D field 0000013C (00000022) [FreezeCount]
150D field 00000140 (00000022) [UserAffinity]
150D field 00000144 (000010E7) [Process]
150D field 00000148 (00001086) [Affinity]
150D field 0000014C (000010E9) [ApcStatePointer]
150D field 00000154 (000010C5) [SavedApcState]
150D field 00000154 (000010C6) [SavedApcStateFill]
150D field 0000016B (00000020) [Spare02]
150D field 0000016C (00000070) [SuspendCount]
150D field 0000016D (00000020) [UserIdealProcessor]
150D field 0000016E (00000020) [Spare03]
150D field 0000016F (00000020) [OtherPlatformFill]
150D field 00000170 (00001088) [Win32Thread]
150D field 00000174 (00000403) [StackBase]
150D field 00000178 (000010B5) [SuspendApc]
150D field 00000178 (000010EA) [SuspendApcFill0]
150D field 00000179 (00000070) [Spare04]
150D field 00000178 (00001099) [SuspendApcFill1]
150D field 0000017B (00000020) [QuantumReset]
150D field 00000178 (000010EB) [SuspendApcFill2]
150D field 0000017C (00000022) [KernelTime]
150D field 00000178 (000010EC) [SuspendApcFill3]
150D field 0000019C (00001076) [WaitPrcb]
150D field 00000178 (0000108D) [SuspendApcFill4]
150D field 000001A0 (00000403) [LegoData]
150D field 00000178 (000010E1) [SuspendApcFill5]
150D field 000001A7 (00000020) [PowerState]
150D field 000001A8 (00000022) [UserTime]
150D field 000001AC (000010ED) [SuspendSemaphore]
150D field 000001AC (000010EE) [SuspendSemaphorefill]
150D field 000001C0 (00000022) [SListFaultCount]
150D field 000001C4 (00001054) [ThreadListEntry]
150D field 000001CC (00001054) [MutantListHead]
150D field 000001D4 (00000403) [SListFaultAddress]
150D field 000001D8 (00001088) [MdlForLockedTeb]
10F0: 1505 0000392C struct 000010EF 000001E0 0073 00000000 00000000 [_KTHREAD]
10F1: 1008 0000394C proc 00001078 00001021 0000 07
10F2: 1002 0000395C pointer 000010F1
10F3: 1201 00003968 arglist 00000001 00000422
10F4: 1008 00003974 proc 00000003 000010F3 0001 07
10F5: 1002 00003984 pointer 000010F4
10F6: 1008 00003990 proc 00001076 00001021 0000 07
10F7: 1002 000039A0 pointer 000010F6
10F8: 1203 000039AC
1502 const 00000000 [LockQueueDispatcherLock]
1502 const 00000001 [LockQueueExpansionLock]
1502 const 00000002 [LockQueuePfnLock]
1502 const 00000003 [LockQueueSystemSpaceLock]
1502 const 00000004 [LockQueueVacbLock]
1502 const 00000005 [LockQueueMasterLock]
1502 const 00000006 [LockQueueNonPagedPoolLock]
1502 const 00000007 [LockQueueIoCancelLock]
1502 const 00000008 [LockQueueWorkQueueLock]
1502 const 00000009 [LockQueueIoVpbLock]
1502 const 0000000A [LockQueueIoDatabaseLock]
1502 const 0000000B [LockQueueIoCompletionLock]
1502 const 0000000C [LockQueueNtfsStructLock]
1502 const 0000000D [LockQueueAfdWorkQueueLock]
1502 const 0000000E [LockQueueBcbLock]
1502 const 0000000F [LockQueueMmNonPagedPoolLock]
1502 const 00000010 [LockQueueUnusedSpare16]
1502 const 00000011 [LockQueueTimerTableLock]
1502 const 00000031 [LockQueueMaximumLock]
10F9: 1507 00003BEC enum 000010F8 00000074 0013 [_KSPIN_LOCK_QUEUE_NUMBER]
10FA: 1201 00003C18 arglist 00000002 000010F9 00000420
10FB: 1008 00003C28 proc 00000022 000010FA 0002 04
10FC: 1002 00003C38 pointer 000010FB
10FD: 1201 00003C44 arglist 00000001 00000022
10FE: 1008 00003C50 proc 00000022 000010FD 0001 07
10FF: 1002 00003C60 pointer 000010FE
1100: 1008 00003C6C proc 00000003 00001021 0000 07
1101: 1002 00003C7C pointer 00001100
1102: 1201 00003C88 arglist 00000001 00001016
1103: 1008 00003C94 proc 00000022 00001102 0001 07
1104: 1002 00003CA4 pointer 00001103
1105: 1008 00003CB0 proc 00000003 00001102 0001 07
1106: 1002 00003CC0 pointer 00001105
1107: 1008 00003CCC proc 00000020 00001021 0000 07
1108: 1002 00003CDC pointer 00001107
1109: 1008 00003CE8 proc 00000003 000010FD 0001 07
110A: 1002 00003CF8 pointer 00001109
110B: 1002 00003D04 pointer 00001093
110C: 1203 00003D10
1502 const 00000000 [NotificationEvent]
1502 const 00000001 [SynchronizationEvent]
110D: 1507 00003D48 enum 0000110C 00000074 0002 [_EVENT_TYPE]
110E: 1201 00003D64 arglist 00000003 0000110B 0000110D 00000020
110F: 1008 00003D78 proc 00000003 0000110E 0003 07
1110: 1002 00003D88 pointer 0000110F
1111: 1505 00003D94 struct 00000000 00000000 0000 00000000 00000000 [_FAST_MUTEX]
1112: 1002 00003DB8 pointer 00001111
1113: 1203 00003DC4
150D field 00000000 (00001015) [Count]
150D field 00000004 (00001078) [Owner]
150D field 00000008 (00000022) [Contention]
150D field 0000000C (00001093) [Gate]
150D field 0000001C (00000022) [OldIrql]
1114: 1505 00003E24 struct 00001113 00000020 0005 00000000 00000000 [_FAST_MUTEX]
1115: 1201 00003E48 arglist 00000003 00000403 00000074 00000075
1116: 1008 00003E5C proc 00000403 00001115 0003 00
1117: 1002 00003E6C pointer 00001116
1118: 1002 00003E78 pointer 000010A0
1119: 1203 00003E84
150D field 00000000 (00000023) [Alignment]
150D field 00000000 (0000105A) [Next]
150D field 00000004 (00000021) [Depth]
150D field 00000006 (00000021) [Sequence]
111A: 1506 00003ED0 union 00001119 00000008 0004 [_SLIST_HEADER]
111B: 1201 00003EEC arglist 00000001 00001118
111C: 1008 00003EF8 proc 0000105B 0000111B 0001 04
111D: 1002 00003F08 pointer 0000111C
111E: 1203 00003F14
1502 const 00000000 [NonPagedPool]
1502 const 00000001 [PagedPool]
1502 const 00000002 [NonPagedPoolMustSucceed]
1502 const 00000003 [DontUseThisType]
1502 const 00000004 [NonPagedPoolCacheAligned]
1502 const 00000005 [PagedPoolCacheAligned]
1502 const 00000006 [NonPagedPoolCacheAlignedMustS]
1502 const 00000007 [MaxPoolType]
1502 const 00000020 [NonPagedPoolSession]
1502 const 00000021 [PagedPoolSession]
1502 const 00000022 [NonPagedPoolMustSucceedSession]
1502 const 00000023 [DontUseThisTypeSession]
1502 const 00000024 [NonPagedPoolCacheAlignedSession]
1502 const 00000025 [PagedPoolCacheAlignedSession]
1502 const 00000026 [NonPagedPoolCacheAlignedMustSSession]
111F: 1507 000040DC enum 0000111E 00000074 000F [_POOL_TYPE]
1120: 1505 000040F8 struct 00000000 00000000 0000 00000000 00000000 [_LOOKASIDE_LIST_EX]
1121: 1002 00004124 pointer 00001120
1122: 1201 00004130 arglist 00000004 0000111F 00000022 00000022 00001121
1123: 1008 00004148 proc 00000403 00001122 0004 07
1124: 1002 00004158 pointer 00001123
1125: 1203 00004164
150D field 00000000 (00001084) [L]
1126: 1505 00004174 struct 00001125 00000048 0001 00000000 00000000 [_LOOKASIDE_LIST_EX]
1127: 1201 000041A0 arglist 00000002 00000403 00001121
1128: 1008 000041B0 proc 00000003 00001127 0002 07
1129: 1002 000041C0 pointer 00001128
112A: 1201 000041CC arglist 00000002 00001118 0000105B
112B: 1008 000041DC proc 0000105B 0000112A 0002 04
112C: 1002 000041EC pointer 0000112B
112D: 1201 000041F8 arglist 00000003 0000111F 00000022 00000022
112E: 1008 0000420C proc 00000403 0000112D 0003 07
112F: 1002 0000421C pointer 0000112E
1130: 1505 00004228 struct 00000000 00000000 0000 00000000 00000000 [_NPAGED_LOOKASIDE_LIST]
1131: 1002 00004258 pointer 00001130
1132: 1505 00004264 struct 00000000 00000000 0000 00000000 00000000 [_GENERAL_LOOKASIDE]
1133: 1203 00004290
150D field 00000000 (00001132) [L]
150D field 00000080 (00000022) [Lock__ObsoleteButDoNotDelete]
1134: 1505 000042C8 struct 00001133 000000C0 0002 00000000 00000000 [_NPAGED_LOOKASIDE_LIST]
1135: 1201 000042F8 arglist 00000001 00000403
1136: 1008 00004304 proc 00000003 00001135 0001 07
1137: 1002 00004314 pointer 00001136
1138: 1505 00004320 struct 00000000 00000000 0000 00000000 00000000 [_PAGED_LOOKASIDE_LIST]
1139: 1002 0000434C pointer 00001138
113A: 1203 00004358
150D field 00000000 (00001132) [L]
150D field 00000080 (00001111) [Lock__ObsoleteButDoNotDelete]
113B: 1505 00004390 struct 0000113A 000000C0 0002 00000000 00000000 [_PAGED_LOOKASIDE_LIST]
113C: 1001 000043BC ???
113D: 1002 000043C8 pointer 0000113C
113E: 1001 000043D4 ???
113F: 1002 000043E0 pointer 0000113E
1140: 1001 000043EC ???
1141: 1002 000043F8 pointer 00001140
1142: 1002 00004404 pointer 00000003
1143: 1002 00004410 pointer 00001142
1144: 1001 0000441C ???
1145: 1002 00004428 pointer 00001144
1146: 1001 00004434 ???
1147: 1002 00004440 pointer 00001146
1148: 1505 0000444C struct 00000000 00000000 0000 00000000 00000000 [_QUAD]
1149: 1001 00004468 ???
114A: 1002 00004474 pointer 00001149
114B: 1203 00004480
150D field 00000000 (00000013) [UseThisFieldToCopy]
150D field 00000000 (00000041) [DoNotUseThisField]
114C: 1505 000044C0 struct 0000114B 00000008 0002 00000000 00000000 [_QUAD]
114D: 1001 000044DC ???
114E: 1002 000044E8 pointer 0000114D
114F: 1001 000044F4 ???
1150: 1002 00004500 pointer 0000114F
1151: 1001 0000450C ???
1152: 1002 00004518 pointer 00001151
1153: 1201 00004524 arglist 00000003 00000403 00001001 00000075
1154: 1008 00004538 proc 00000403 00001153 0003 00
1155: 1002 00004548 pointer 00001154
1156: 1203 00004554
150D field 00000000 (00000012) [Status]
150D field 00000000 (00000403) [Pointer]
150D field 00000004 (00000022) [Information]
1157: 1505 00004598 struct 00001156 00000008 0003 00000000 00000000 [_IO_STATUS_BLOCK]
1158: 1002 000045C0 pointer 00001148
1159: 1201 000045CC arglist 00000003 00000403 00000022 00000022
115A: 1008 000045E0 proc 00000003 00001159 0003 07
115B: 1002 000045F0 pointer 0000115A
115C: 1505 000045FC struct 00000000 00000000 0000 00000000 00000000 [_EX_PUSH_LOCK]
115D: 1002 00004620 pointer 0000115C
115E: 1205 0000462C bitfield (00000022) 04 : 1C
115F: 1203 00004638
150D field 00000000 (00001034) [Locked]
150D field 00000000 (000010CC) [Waiting]
150D field 00000000 (000010CD) [Waking]
150D field 00000000 (000010CE) [MultipleShared]
150D field 00000000 (0000115E) [Shared]
150D field 00000000 (00000022) [Value]
150D field 00000000 (00000403) [Ptr]
1160: 1505 000046C8 struct 0000115F 00000004 0007 00000000 00000000 [_EX_PUSH_LOCK]
1161: 1201 000046EC arglist 00000001 0000115D
1162: 1008 000046F8 proc 00000003 00001161 0001 04
1163: 1002 00004708 pointer 00001162
1164: 1008 00004714 proc 00000020 00001161 0001 04
1165: 1002 00004724 pointer 00001164
1166: 1008 00004730 proc 00000022 00001021 0000 07
1167: 1002 00004740 pointer 00001166
1168: 1008 0000474C proc 00000003 00001161 0001 07
1169: 1002 0000475C pointer 00001168
116A: 1505 00004768 struct 00000000 00000000 0000 00000000 00000000 [_EX_PUSH_LOCK_CACHE_AWARE]
116B: 1002 00004798 pointer 0000116A
116C: 1503 000047A4 array 0000115D 00000022 00000080
116D: 1203 000047B4
150D field 00000000 (0000116C) [Locks]
116E: 1505 000047C8 struct 0000116D 00000080 0001 00000000 00000000 [_EX_PUSH_LOCK_CACHE_AWARE]
116F: 1203 000047F8
1502 const 00000000 [LookasideSmallIrpList]
1502 const 00000001 [LookasideLargeIrpList]
1502 const 00000002 [LookasideMdlList]
1502 const 00000003 [LookasideCreateInfoList]
1502 const 00000004 [LookasideNameBufferList]
1502 const 00000005 [LookasideTwilightList]
1502 const 00000006 [LookasideCompletionList]
1502 const 00000007 [LookasideScratchBufferList]
1502 const 00000008 [LookasideMaximumList]
1170: 1507 00004908 enum 0000116F 00000074 0009 [_PP_NPAGED_LOOKASIDE_NUMBER]
1171: 1002 00004934 pointer 00001132
1172: 1203 00004940
150D field 00000000 (000010A0) [ListHead]
150D field 00000000 (0000105A) [SingleListHead]
150D field 00000008 (00000021) [Depth]
150D field 0000000A (00000021) [MaximumDepth]
150D field 0000000C (00000022) [TotalAllocates]
150D field 00000010 (00000022) [AllocateMisses]
150D field 00000010 (00000022) [AllocateHits]
150D field 00000014 (00000022) [TotalFrees]
150D field 00000018 (00000022) [FreeMisses]
150D field 00000018 (00000022) [FreeHits]
150D field 0000001C (0000111F) [Type]
150D field 00000020 (00000022) [Tag]
150D field 00000024 (00000022) [Size]
150D field 00000028 (00001124) [AllocateEx]
150D field 00000028 (0000112F) [Allocate]
150D field 0000002C (00001129) [FreeEx]
150D field 0000002C (00001137) [Free]
150D field 00000030 (00001054) [ListEntry]
150D field 00000038 (00000022) [LastTotalAllocates]
150D field 0000003C (00000022) [LastAllocateMisses]
150D field 0000003C (00000022) [LastAllocateHits]
150D field 00000040 (00001096) [Future]
1173: 1505 00004B34 struct 00001172 00000080 0016 00000000 00000000 [_GENERAL_LOOKASIDE]
1174: 1002 00004B60 pointer 00001068
1175: 1505 00004B6C struct 00000000 00000000 0000 00000000 00000000 [_EX_FAST_REF]
1176: 1205 00004B90 bitfield (00000022) 00 : 03
1177: 1203 00004B9C
150D field 00000000 (00000403) [Object]
150D field 00000000 (00001176) [RefCnt]
150D field 00000000 (00000022) [Value]
1178: 1505 00004BD8 struct 00001177 00000004 0003 00000000 00000000 [_EX_FAST_REF]
1179: 1002 00004BFC pointer 00001175
117A: 1201 00004C08 arglist 00000002 00001175 00000403
117B: 1008 00004C18 proc 00000020 0000117A 0002 07
117C: 1002 00004C28 pointer 0000117B
117D: 1505 00004C34 struct 00000000 00000000 0000 00000000 00000000 [_EX_PUSH_LOCK_WAIT_BLOCK]
117E: 1002 00004C64 pointer 0000117D
117F: 1201 00004C70 arglist 00000002 0000115D 0000117E
1180: 1008 00004C80 proc 00000003 0000117F 0002 04
1181: 1002 00004C90 pointer 00001180
1182: 1203 00004C9C
150D field 00000000 (000010CA) [WakeGate]
150D field 00000000 (00001093) [WakeEvent]
150D field 00000010 (0000117E) [Next]
150D field 00000014 (0000117E) [Last]
150D field 00000018 (0000117E) [Previous]
150D field 0000001C (00000012) [ShareCount]
150D field 00000020 (00000012) [Flags]
1183: 1505 00004D24 struct 00001182 00000030 0007 00000000 00000000 [_EX_PUSH_LOCK_WAIT_BLOCK]
1184: 1505 00004D54 struct 00000000 00000000 0000 00000000 00000000 [_ETHREAD]
1185: 1002 00004D74 pointer 00001184
1186: 1505 00004D80 struct 00000000 00000000 0000 00000000 00000000 [_TERMINATION_PORT]
1187: 1002 00004DA8 pointer 00001186
1188: 1505 00004DB4 struct 00000000 00000000 0000 00000000 00000000 [_CLIENT_ID]
1189: 1506 00004DD8 union 00000000 00000000 0000 [_PS_CLIENT_SECURITY_CONTEXT]
118A: 1505 00004E04 struct 00000000 00000000 0000 00000000 00000000 [_DEVICE_OBJECT]
118B: 1002 00004E2C pointer 0000118A
118C: 1506 00004E38 union 00000000 00000000 0000 [_PSP_RATE_APC]
118D: 1002 00004E54 pointer 0000118C
118E: 1505 00004E60 struct 00000000 00000000 0000 00000000 00000000 [_EX_RUNDOWN_REF]
118F: 1205 00004E88 bitfield (00000022) 08 : 01
1190: 1205 00004E94 bitfield (00000022) 09 : 01
1191: 1205 00004EA0 bitfield (00000022) 0A : 03
1192: 1205 00004EAC bitfield (00000022) 0D : 03
1193: 1205 00004EB8 bitfield (00000022) 10 : 01
1194: 1205 00004EC4 bitfield (00000022) 05 : 02
1195: 1205 00004ED0 bitfield (00000020) 00 : 01
1196: 1205 00004EDC bitfield (00001092) 01 : 01
1197: 1205 00004EE8 bitfield (00000020) 02 : 01
1198: 1205 00004EF4 bitfield (00000020) 03 : 01
1199: 1205 00004F00 bitfield (00000020) 04 : 01
119A: 1205 00004F0C bitfield (00000020) 05 : 01
119B: 1205 00004F18 bitfield (00000020) 06 : 01
119C: 1205 00004F24 bitfield (00000020) 07 : 01
119D: 1205 00004F30 bitfield (00000020) 01 : 01
119E: 1205 00004F3C bitfield (00000020) 00 : 08
119F: 1203 00004F48
150D field 00000000 (00001077) [Tcb]
150D field 000001E0 (0000101C) [CreateTime]
150D field 000001E8 (0000101C) [ExitTime]
150D field 000001E8 (00001054) [KeyedWaitChain]
150D field 000001F0 (00000012) [ExitStatus]
150D field 000001F0 (00000403) [OfsChain]
150D field 000001F4 (00001054) [PostBlockList]
150D field 000001F4 (00000403) [ForwardLinkShadow]
150D field 000001F8 (00000403) [StartAddress]
150D field 000001FC (00001187) [TerminationPort]
150D field 000001FC (00001185) [ReaperLink]
150D field 000001FC (00000403) [KeyedWaitValue]
150D field 000001FC (00000403) [Win32StartParameter]
150D field 00000200 (00000022) [ActiveTimerListLock]
150D field 00000204 (00001054) [ActiveTimerListHead]
150D field 0000020C (00001188) [Cid]
150D field 00000214 (000010ED) [KeyedWaitSemaphore]
150D field 00000214 (000010ED) [AlpcWaitSemaphore]
150D field 00000228 (00001189) [ClientSecurity]
150D field 0000022C (00001054) [IrpList]
150D field 00000234 (00000022) [TopLevelIrp]
150D field 00000238 (0000118B) [DeviceToVerify]
150D field 0000023C (0000118D) [RateControlApc]
150D field 00000240 (00000403) [Win32StartAddress]
150D field 00000244 (00000403) [SparePtr0]
150D field 00000248 (00001054) [ThreadListEntry]
150D field 00000250 (0000118E) [RundownProtect]
150D field 00000254 (0000115C) [ThreadLock]
150D field 00000258 (00000022) [ReadClusterSize]
150D field 0000025C (00001015) [MmLockOrdering]
150D field 00000260 (00000022) [CrossThreadFlags]
150D field 00000260 (00001034) [Terminated]
150D field 00000260 (000010CC) [ThreadInserted]
150D field 00000260 (000010CD) [HideFromDebugger]
150D field 00000260 (000010CE) [ActiveImpersonationInfo]
150D field 00000260 (000010CF) [SystemThread]
150D field 00000260 (000010D0) [HardErrorsAreDisabled]
150D field 00000260 (000010D1) [BreakOnTermination]
150D field 00000260 (000010D2) [SkipCreationMsg]
150D field 00000260 (0000118F) [SkipTerminationMsg]
150D field 00000260 (00001190) [CopyTokenOnOpen]
150D field 00000260 (00001191) [ThreadIoPriority]
150D field 00000260 (00001192) [ThreadPagePriority]
150D field 00000260 (00001193) [RundownFail]
150D field 00000264 (00000022) [SameThreadPassiveFlags]
150D field 00000264 (00001034) [ActiveExWorker]
150D field 00000264 (000010CC) [ExWorkerCanWaitUser]
150D field 00000264 (000010CD) [MemoryMaker]
150D field 00000264 (000010CE) [ClonedThread]
150D field 00000264 (000010CF) [KeyedEventInUse]
150D field 00000264 (00001194) [RateApcState]
150D field 00000264 (000010D2) [SelfTerminate]
150D field 00000268 (00000022) [SameThreadApcFlags]
150D field 00000268 (00001195) [Spare]
150D field 00000268 (00001196) [StartAddressInvalid]
150D field 00000268 (00001197) [EtwPageFaultCalloutActive]
150D field 00000268 (00001198) [OwnsProcessWorkingSetExclusive]
150D field 00000268 (00001199) [OwnsProcessWorkingSetShared]
150D field 00000268 (0000119A) [OwnsSystemWorkingSetExclusive]
150D field 00000268 (0000119B) [OwnsSystemWorkingSetShared]
150D field 00000268 (0000119C) [OwnsSessionWorkingSetExclusive]
150D field 00000269 (00001195) [OwnsSessionWorkingSetShared]
150D field 00000269 (0000119D) [OwnsProcessAddressSpaceExclusive]
150D field 00000269 (00001197) [OwnsProcessAddressSpaceShared]
150D field 00000269 (00001198) [SuppressSymbolLoad]
150D field 00000269 (00001199) [Prefetching]
150D field 00000269 (0000119A) [OwnsDynamicMemoryShared]
150D field 00000269 (0000119B) [OwnsChangeControlAreaExclusive]
150D field 00000269 (0000119C) [OwnsChangeControlAreaShared]
150D field 0000026A (0000119E) [Spare1]
150D field 0000026B (00000020) [PriorityRegionActive]
150D field 0000026C (00000020) [CacheManagerActive]
150D field 0000026D (00000020) [DisablePageFaultClustering]
150D field 0000026E (00000020) [ActiveFaultCount]
150D field 00000270 (00000022) [AlpcMessageId]
150D field 00000274 (00000403) [AlpcMessage]
150D field 00000274 (00000022) [AlpcReceiveAttributeSet]
150D field 00000278 (00001054) [AlpcWaitListEntry]
150D field 00000280 (00000022) [CacheManagerCount]
11A0: 1505 00005854 struct 0000119F 00000288 004F 00000000 00000000 [_ETHREAD]
11A1: 1505 00005874 struct 00000000 00000000 0000 00000000 00000000 [_EPROCESS]
11A2: 1002 00005894 pointer 000011A1
11A3: 1505 000058A0 struct 00000000 00000000 0000 00000000 00000000 [_HANDLE_TABLE]
11A4: 1002 000058C4 pointer 000011A3
11A5: 1505 000058D0 struct 00000000 00000000 0000 00000000 00000000 [_MM_AVL_TABLE]
11A6: 1002 000058F4 pointer 000011A5
11A7: 1505 00005900 struct 00000000 00000000 0000 00000000 00000000 [_EJOB]
11A8: 1002 0000591C pointer 000011A7
11A9: 1505 00005928 struct 00000000 00000000 0000 00000000 00000000 [_EPROCESS_QUOTA_BLOCK]
11AA: 1002 00005954 pointer 000011A9
11AB: 1505 00005960 struct 00000000 00000000 0000 00000000 00000000 [_PAGEFAULT_HISTORY]
11AC: 1002 0000598C pointer 000011AB
11AD: 1505 00005998 struct 00000000 00000000 0000 00000000 00000000 [_HARDWARE_PTE]
11AE: 1503 000059BC array 00000020 00000022 00000010
11AF: 1505 000059CC struct 00000000 00000000 0000 00000000 00000000 [_PEB]
11B0: 1002 000059E8 pointer 000011AF
11B1: 1505 000059F4 struct 00000000 00000000 0000 00000000 00000000 [_SE_AUDIT_PROCESS_CREATION_INFO]
11B2: 1505 00005A2C struct 00000000 00000000 0000 00000000 00000000 [_MMSUPPORT]
11B3: 1205 00005A50 bitfield (00000022) 0A : 01
11B4: 1205 00005A5C bitfield (00000022) 0B : 01
11B5: 1205 00005A68 bitfield (00000022) 0C : 03
11B6: 1205 00005A74 bitfield (00000022) 0F : 01
11B7: 1205 00005A80 bitfield (00000022) 11 : 01
11B8: 1205 00005A8C bitfield (00000022) 12 : 01
11B9: 1205 00005A98 bitfield (00000022) 13 : 01
11BA: 1205 00005AA4 bitfield (00000022) 14 : 01
11BB: 1205 00005AB0 bitfield (00000022) 0A : 02
11BC: 1205 00005ABC bitfield (00000022) 0C : 01
11BD: 1205 00005AC8 bitfield (00000022) 0D : 01
11BE: 1205 00005AD4 bitfield (00000022) 0E : 01
11BF: 1205 00005AE0 bitfield (00000022) 15 : 01
11C0: 1205 00005AEC bitfield (00000022) 16 : 01
11C1: 1205 00005AF8 bitfield (00000022) 17 : 01
11C2: 1205 00005B04 bitfield (00000022) 18 : 01
11C3: 1205 00005B10 bitfield (00000022) 19 : 01
11C4: 1205 00005B1C bitfield (00000022) 1A : 01
11C5: 1205 00005B28 bitfield (00000022) 1B : 03
11C6: 1205 00005B34 bitfield (00000022) 1E : 01
11C7: 1205 00005B40 bitfield (00000022) 1F : 01
11C8: 1505 00005B4C struct 00000000 00000000 0000 00000000 00000000 [_ALPC_PROCESS_CONTEXT]
11C9: 1203 00005B78
150D field 00000000 (000010E6) [Pcb]
150D field 00000080 (0000115C) [ProcessLock]
150D field 00000088 (0000101C) [CreateTime]
150D field 00000090 (0000101C) [ExitTime]
150D field 00000098 (0000118E) [RundownProtect]
150D field 0000009C (00000403) [UniqueProcessId]
150D field 000000A0 (00001054) [ActiveProcessLinks]
150D field 000000A8 (00001081) [QuotaUsage]
150D field 000000B4 (00001081) [QuotaPeak]
150D field 000000C0 (00001086) [CommitCharge]
150D field 000000C4 (00000022) [PeakVirtualSize]
150D field 000000C8 (00000022) [VirtualSize]
150D field 000000CC (00001054) [SessionProcessLinks]
150D field 000000D4 (00000403) [DebugPort]
150D field 000000D8 (00000403) [ExceptionPortData]
150D field 000000D8 (00000022) [ExceptionPortValue]
150D field 000000D8 (00001176) [ExceptionPortState]
150D field 000000DC (000011A4) [ObjectTable]
150D field 000000E0 (00001175) [Token]
150D field 000000E4 (00000022) [WorkingSetPage]
150D field 000000E8 (0000115C) [AddressCreationLock]
150D field 000000EC (00001185) [RotateInProgress]
150D field 000000F0 (00001185) [ForkInProgress]
150D field 000000F4 (00000022) [HardwareTrigger]
150D field 000000F8 (000011A6) [PhysicalVadRoot]
150D field 000000FC (00000403) [CloneRoot]
150D field 00000100 (00001086) [NumberOfPrivatePages]
150D field 00000104 (00001086) [NumberOfLockedPages]
150D field 00000108 (00000403) [Win32Process]
150D field 0000010C (000011A8) [Job]
150D field 00000110 (00000403) [SectionObject]
150D field 00000114 (00000403) [SectionBaseAddress]
150D field 00000118 (000011AA) [QuotaBlock]
150D field 0000011C (000011AC) [WorkingSetWatch]
150D field 00000120 (00000403) [Win32WindowStation]
150D field 00000124 (00000403) [InheritedFromUniqueProcessId]
150D field 00000128 (00000403) [LdtInformation]
150D field 0000012C (00000403) [Spare]
150D field 00000130 (00000403) [VdmObjects]
150D field 00000134 (00000403) [DeviceMap]
150D field 00000138 (00000403) [EtwDataSource]
150D field 0000013C (00000403) [FreeTebHint]
150D field 00000140 (000011AD) [PageDirectoryPte]
150D field 00000140 (00000023) [Filler]
150D field 00000148 (00000403) [Session]
150D field 0000014C (000011AE) [ImageFileName]
150D field 0000015C (00001054) [JobLinks]
150D field 00000164 (00000403) [LockedPagesList]
150D field 00000168 (00001054) [ThreadListHead]
150D field 00000170 (00000403) [SecurityPort]
150D field 00000174 (00000403) [PaeTop]
150D field 00000178 (00001086) [ActiveThreads]
150D field 0000017C (00000022) [ImagePathHash]
150D field 00000180 (00000022) [DefaultHardErrorProcessing]
150D field 00000184 (00000012) [LastThreadExitStatus]
150D field 00000188 (000011B0) [Peb]
150D field 0000018C (00001175) [PrefetchTrace]
150D field 00000190 (0000101C) [ReadOperationCount]
150D field 00000198 (0000101C) [WriteOperationCount]
150D field 000001A0 (0000101C) [OtherOperationCount]
150D field 000001A8 (0000101C) [ReadTransferCount]
150D field 000001B0 (0000101C) [WriteTransferCount]
150D field 000001B8 (0000101C) [OtherTransferCount]
150D field 000001C0 (00000022) [CommitChargeLimit]
150D field 000001C4 (00001086) [CommitChargePeak]
150D field 000001C8 (00000403) [AweInfo]
150D field 000001CC (000011B1) [SeAuditProcessCreationInfo]
150D field 000001D0 (000011B2) [Vm]
150D field 00000218 (00001054) [MmProcessLinks]
150D field 00000220 (00000022) [ModifiedPageCount]
150D field 00000224 (00000022) [Flags2]
150D field 00000224 (00001034) [JobNotReallyActive]
150D field 00000224 (000010CC) [AccountingFolded]
150D field 00000224 (000010CD) [NewProcessReported]
150D field 00000224 (000010CE) [ExitProcessReported]
150D field 00000224 (000010CF) [ReportCommitChanges]
150D field 00000224 (000010D0) [LastReportMemory]
150D field 00000224 (000010D1) [ReportPhysicalPageChanges]
150D field 00000224 (000010D2) [HandleTableRundown]
150D field 00000224 (0000118F) [NeedsHandleRundown]
150D field 00000224 (00001190) [RefTraceEnabled]
150D field 00000224 (000011B3) [NumaAware]
150D field 00000224 (000011B4) [ProtectedProcess]
150D field 00000224 (000011B5) [DefaultPagePriority]
150D field 00000224 (000011B6) [PrimaryTokenFrozen]
150D field 00000224 (00001193) [ProcessVerifierTarget]
150D field 00000224 (000011B7) [StackRandomizationDisabled]
150D field 00000224 (000011B8) [AffinityPermanent]
150D field 00000224 (000011B9) [AffinityUpdateEnable]
150D field 00000224 (000011BA) [CrossSessionCreate]
150D field 00000228 (00000022) [Flags]
150D field 00000228 (00001034) [CreateReported]
150D field 00000228 (000010CC) [NoDebugInherit]
150D field 00000228 (000010CD) [ProcessExiting]
150D field 00000228 (000010CE) [ProcessDelete]
150D field 00000228 (000010CF) [Wow64SplitPages]
150D field 00000228 (000010D0) [VmDeleted]
150D field 00000228 (000010D1) [OutswapEnabled]
150D field 00000228 (000010D2) [Outswapped]
150D field 00000228 (0000118F) [ForkFailed]
150D field 00000228 (00001190) [Wow64VaSpace4Gb]
150D field 00000228 (000011BB) [AddressSpaceInitialized]
150D field 00000228 (000011BC) [SetTimerResolution]
150D field 00000228 (000011BD) [BreakOnTermination]
150D field 00000228 (000011BE) [DeprioritizeViews]
150D field 00000228 (000011B6) [WriteWatch]
150D field 00000228 (00001193) [ProcessInSession]
150D field 00000228 (000011B7) [OverrideAddressSpace]
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan
Top
Next
Post a reply

Return to Help

Who is online

Users browsing this forum: No registered users and 0 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group